mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-27 00:19:26 -05:00
082bc48c32
https://review.lineageos.org/q/topic:P_asb_2022-05 https://review.lineageos.org/q/topic:P_asb_2022-06 https://review.lineageos.org/q/topic:P_asb_2022-07 https://review.lineageos.org/q/topic:P_asb_2022-08 https://review.lineageos.org/q/topic:P_asb_2022-09 https://review.lineageos.org/q/topic:P_asb_2022-10 https://review.lineageos.org/q/topic:P_asb_2022-11 https://review.lineageos.org/q/topic:P_asb_2022-12 https://review.lineageos.org/q/topic:P_asb_2023-01 https://review.lineageos.org/q/topic:P_asb_2023-02 https://review.lineageos.org/q/topic:P_asb_2023-03 https://review.lineageos.org/q/topic:P_asb_2023-04 https://review.lineageos.org/q/topic:P_asb_2023-05 https://review.lineageos.org/q/topic:P_asb_2023-06 https://review.lineageos.org/q/topic:P_asb_2023-07 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_freetype/+/361250 https://review.lineageos.org/q/topic:P_asb_2023-08 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_freetype/+/364606 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/365328 https://review.lineageos.org/q/topic:P_asb_2023-09 https://review.lineageos.org/q/topic:P_asb_2023-10 https://review.lineageos.org/q/topic:P_asb_2023-11 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/374916 https://review.lineageos.org/q/topic:P_asb_2023-12 https://review.lineageos.org/q/topic:P_asb_2024-01 https://review.lineageos.org/q/topic:P_asb_2024-02 https://review.lineageos.org/q/topic:P_asb_2024-03 https://review.lineageos.org/q/topic:P_asb_2024-04 Signed-off-by: Tavi <tavi@divested.dev>
66 lines
2.7 KiB
Diff
66 lines
2.7 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Brian Delwiche <delwiche@google.com>
|
|
Date: Fri, 2 Dec 2022 00:41:24 +0000
|
|
Subject: [PATCH] Report failure when not able to connect to AVRCP
|
|
|
|
A crash may occur when creating a bluetooth AVRCP connection to a
|
|
device.
|
|
|
|
The code fails to check a return value from an AVRCP function
|
|
being used to index into an array. The return value may exceed the
|
|
size of the array causing memory outside the bounds of the array to be
|
|
accessed leading to memory corruption and a crash.
|
|
|
|
The fix is to ensure the return value is within the bounds of the
|
|
array before accessing the array contents. If the return value is
|
|
not within the bounds of the array report it as a failure to the
|
|
bluetooth stack.
|
|
|
|
This change is relevant for android automotive because the IVI
|
|
(in-vehicle infotainment system) acts as the an AVRCP controller
|
|
which still executes this code.
|
|
|
|
Note: this is a backport of b/214569798, inducted as a non-security
|
|
issue. Per b/226927612 it has been found to have security impact
|
|
and should be backported to earlier branches.
|
|
|
|
Bug: 226927612
|
|
Test: Manual - set return value to be out of bounds, verify no crash
|
|
Tag: #security
|
|
Ignore-AOSP-First: Security
|
|
Change-Id: I03f89f894c759b85e555a024435b625397ef7e5c
|
|
Merged-In: I03f89f894c759b85e555a024435b625397ef7e5c
|
|
(cherry picked from commit 86112bf0535f3f5a4c6a0a137e67b0eebd9bbdf5)
|
|
Merged-In: I03f89f894c759b85e555a024435b625397ef7e5c
|
|
---
|
|
bta/av/bta_av_act.cc | 16 +++++++++++++++-
|
|
1 file changed, 15 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/bta/av/bta_av_act.cc b/bta/av/bta_av_act.cc
|
|
index 5625f90bf..112645ecf 100644
|
|
--- a/bta/av/bta_av_act.cc
|
|
+++ b/bta/av/bta_av_act.cc
|
|
@@ -1840,7 +1840,21 @@ void bta_av_rc_disc_done(UNUSED_ATTR tBTA_AV_DATA* p_data) {
|
|
if (p_lcb) {
|
|
rc_handle = bta_av_rc_create(p_cb, AVCT_INT,
|
|
(uint8_t)(p_scb->hdi + 1), p_lcb->lidx);
|
|
- p_cb->rcb[rc_handle].peer_features = peer_features;
|
|
+ if (rc_handle < BTA_AV_NUM_RCB) {
|
|
+ p_cb->rcb[rc_handle].peer_features = peer_features;
|
|
+ } else {
|
|
+ /* cannot create valid rc_handle for current device. report failure
|
|
+ */
|
|
+ APPL_TRACE_ERROR("%s: no link resources available", __func__);
|
|
+ p_scb->use_rc = false;
|
|
+ tBTA_AV_RC_OPEN rc_open;
|
|
+ rc_open.peer_addr = p_scb->PeerAddress();
|
|
+ rc_open.peer_features = 0;
|
|
+ rc_open.status = BTA_AV_FAIL_RESOURCES;
|
|
+ tBTA_AV bta_av_data;
|
|
+ bta_av_data.rc_open = rc_open;
|
|
+ (*p_cb->p_cback)(BTA_AV_RC_OPEN_EVT, &bta_av_data);
|
|
+ }
|
|
} else {
|
|
APPL_TRACE_ERROR("%s: can not find LCB!!", __func__);
|
|
}
|