Add bounds checks in btif_avrcp_audio_track.cc
Fuzz testing reveals that the transcodeQ*ToFloat family of functions are
not bounds checked, causing a potential OOB write.
Check these functions against bounds of the destination array.
Bug: 275895309
Test: atest bluetooth_test_gd_unit, net_test_stack_btm
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:46803ae95d63ee133eae83d885e7c051964dc8ed)
Merged-In: I7a13261429797769cf5b913912a30e249668ac93
Change-Id: I7a13261429797769cf5b913912a30e249668ac93
diff --git a/system/btif/src/btif_avrcp_audio_track.cc b/system/btif/src/btif_avrcp_audio_track.cc
index 8ca5c97..e17f80f 100644
--- a/system/btif/src/btif_avrcp_audio_track.cc
+++ b/system/btif/src/btif_avrcp_audio_track.cc
@@ -23,6 +23,8 @@
#include <base/logging.h>
#include <utils/StrongPointer.h>
+#include <algorithm>
+
#include "bt_target.h"
#include "osi/include/log.h"
@@ -152,7 +154,7 @@
BtifAvrcpAudioTrack* trackHolder) {
size_t sampleSize = sampleSizeFor(trackHolder);
size_t i = 0;
- for (; i <= length / sampleSize; i++) {
+ for (; i < std::min(trackHolder->bufferLength, length / sampleSize); i++) {
trackHolder->buffer[i] = ((int16_t*)buffer)[i] * kScaleQ15ToFloat;
}
return i * sampleSize;
@@ -162,7 +164,7 @@
BtifAvrcpAudioTrack* trackHolder) {
size_t sampleSize = sampleSizeFor(trackHolder);
size_t i = 0;
- for (; i <= length / sampleSize; i++) {
+ for (; i < std::min(trackHolder->bufferLength, length / sampleSize); i++) {
size_t offset = i * sampleSize;
int32_t sample = *((int32_t*)(buffer + offset - 1)) & 0x00FFFFFF;
trackHolder->buffer[i] = sample * kScaleQ23ToFloat;
@@ -174,7 +176,7 @@
BtifAvrcpAudioTrack* trackHolder) {
size_t sampleSize = sampleSizeFor(trackHolder);
size_t i = 0;
- for (; i <= length / sampleSize; i++) {
+ for (; i < std::min(trackHolder->bufferLength, length / sampleSize); i++) {
trackHolder->buffer[i] = ((int32_t*)buffer)[i] * kScaleQ31ToFloat;
}
return i * sampleSize;
