mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-11 07:29:34 -05:00
082bc48c32
https://review.lineageos.org/q/topic:P_asb_2022-05 https://review.lineageos.org/q/topic:P_asb_2022-06 https://review.lineageos.org/q/topic:P_asb_2022-07 https://review.lineageos.org/q/topic:P_asb_2022-08 https://review.lineageos.org/q/topic:P_asb_2022-09 https://review.lineageos.org/q/topic:P_asb_2022-10 https://review.lineageos.org/q/topic:P_asb_2022-11 https://review.lineageos.org/q/topic:P_asb_2022-12 https://review.lineageos.org/q/topic:P_asb_2023-01 https://review.lineageos.org/q/topic:P_asb_2023-02 https://review.lineageos.org/q/topic:P_asb_2023-03 https://review.lineageos.org/q/topic:P_asb_2023-04 https://review.lineageos.org/q/topic:P_asb_2023-05 https://review.lineageos.org/q/topic:P_asb_2023-06 https://review.lineageos.org/q/topic:P_asb_2023-07 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_freetype/+/361250 https://review.lineageos.org/q/topic:P_asb_2023-08 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_freetype/+/364606 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/365328 https://review.lineageos.org/q/topic:P_asb_2023-09 https://review.lineageos.org/q/topic:P_asb_2023-10 https://review.lineageos.org/q/topic:P_asb_2023-11 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/374916 https://review.lineageos.org/q/topic:P_asb_2023-12 https://review.lineageos.org/q/topic:P_asb_2024-01 https://review.lineageos.org/q/topic:P_asb_2024-02 https://review.lineageos.org/q/topic:P_asb_2024-03 https://review.lineageos.org/q/topic:P_asb_2024-04 Signed-off-by: Tavi <tavi@divested.dev>
79 lines
3.2 KiB
Diff
79 lines
3.2 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Sagar Verma <quic_sagarv@quicinc.com>
|
|
Date: Sun, 12 Jun 2022 00:05:07 +0530
|
|
Subject: [PATCH] AVRC: Validating msg size before accessing fields
|
|
|
|
This change adds buffer length validation during the parsing of AVRCP
|
|
browse commands.
|
|
|
|
Change-Id: I3a6c7a9ea2323a04ce5c5368eabfa940a8152cba
|
|
---
|
|
stack/avrc/avrc_pars_tg.cc | 19 +++++++++++++++++++
|
|
1 file changed, 19 insertions(+)
|
|
|
|
diff --git a/stack/avrc/avrc_pars_tg.cc b/stack/avrc/avrc_pars_tg.cc
|
|
index ebeff219e..b8b225702 100644
|
|
--- a/stack/avrc/avrc_pars_tg.cc
|
|
+++ b/stack/avrc/avrc_pars_tg.cc
|
|
@@ -406,6 +406,12 @@ tAVRC_STS AVRC_Ctrl_ParsCommand(tAVRC_MSG* p_msg, tAVRC_COMMAND* p_result) {
|
|
return status;
|
|
}
|
|
|
|
+#define RETURN_STATUS_IF_FALSE(_status_, _b_, _msg_, ...) \
|
|
+ if (!(_b_)) { \
|
|
+ AVRC_TRACE_DEBUG(_msg_, ##__VA_ARGS__); \
|
|
+ return _status_; \
|
|
+ }
|
|
+
|
|
/*******************************************************************************
|
|
*
|
|
* Function avrc_pars_browsing_cmd
|
|
@@ -424,6 +430,7 @@ static tAVRC_STS avrc_pars_browsing_cmd(tAVRC_MSG_BROWSE* p_msg,
|
|
tAVRC_STS status = AVRC_STS_NO_ERROR;
|
|
uint8_t* p = p_msg->p_browse_data;
|
|
int count;
|
|
+ uint16_t min_len = 3;
|
|
|
|
p_result->pdu = *p++;
|
|
AVRC_TRACE_DEBUG("avrc_pars_browsing_cmd() pdu:0x%x", p_result->pdu);
|
|
@@ -437,6 +444,7 @@ static tAVRC_STS avrc_pars_browsing_cmd(tAVRC_MSG_BROWSE* p_msg,
|
|
break;
|
|
|
|
case AVRC_PDU_GET_FOLDER_ITEMS: /* 0x71 */
|
|
+ min_len += 10;
|
|
STREAM_TO_UINT8(p_result->get_items.scope, p);
|
|
// To be modified later here (Scope) when all browsing commands are
|
|
// supported
|
|
@@ -457,6 +465,11 @@ static tAVRC_STS avrc_pars_browsing_cmd(tAVRC_MSG_BROWSE* p_msg,
|
|
if (buf_len < (count << 2))
|
|
p_result->get_items.attr_count = count = (buf_len >> 2);
|
|
for (int idx = 0; idx < count; idx++) {
|
|
+ min_len += 4;
|
|
+ RETURN_STATUS_IF_FALSE(AVRC_STS_BAD_CMD,
|
|
+ (p_msg->browse_len >= min_len),
|
|
+ "msg too short");
|
|
+
|
|
BE_STREAM_TO_UINT32(p_result->get_items.p_attr_list[idx], p);
|
|
}
|
|
}
|
|
@@ -473,6 +486,7 @@ static tAVRC_STS avrc_pars_browsing_cmd(tAVRC_MSG_BROWSE* p_msg,
|
|
break;
|
|
|
|
case AVRC_PDU_GET_ITEM_ATTRIBUTES: /* 0x73 */
|
|
+ min_len += 12;
|
|
BE_STREAM_TO_UINT8(p_result->get_attrs.scope, p);
|
|
if (p_result->get_attrs.scope > AVRC_SCOPE_NOW_PLAYING) {
|
|
status = AVRC_STS_BAD_SCOPE;
|
|
@@ -489,6 +503,11 @@ static tAVRC_STS avrc_pars_browsing_cmd(tAVRC_MSG_BROWSE* p_msg,
|
|
p_result->get_attrs.attr_count = count = (buf_len >> 2);
|
|
for (int idx = 0, count = 0; idx < p_result->get_attrs.attr_count;
|
|
idx++) {
|
|
+ min_len += 4;
|
|
+ RETURN_STATUS_IF_FALSE(AVRC_STS_BAD_CMD,
|
|
+ (p_msg->browse_len >= min_len),
|
|
+ "msg too short");
|
|
+
|
|
BE_STREAM_TO_UINT32(p_result->get_attrs.p_attr_list[count], p);
|
|
if (AVRC_IS_VALID_MEDIA_ATTRIBUTE(
|
|
p_result->get_attrs.p_attr_list[count])) {
|