Fix an OOB bug in register_notification_rsp
Bug: 245916076
Test: manual
Ignore-AOSP-First: security
Change-Id: I901d973a736678d7f3cc816ddf0cbbcbbd1fe93f
(cherry picked from commit daa3efc5e53c8613f4b1a33e095ff6c6460b8d02)
Merged-In: I901d973a736678d7f3cc816ddf0cbbcbbd1fe93f
diff --git a/system/btif/src/btif_rc.cc b/system/btif/src/btif_rc.cc
index 1b68326..937cb15 100644
--- a/system/btif/src/btif_rc.cc
+++ b/system/btif/src/btif_rc.cc
@@ -1959,6 +1959,11 @@
dump_rc_notification_event_id(event_id));
std::unique_lock<std::mutex> lock(btif_rc_cb.lock);
+ if (event_id > MAX_RC_NOTIFICATIONS) {
+ BTIF_TRACE_ERROR("Invalid event id");
+ return BT_STATUS_PARM_INVALID;
+ }
+
memset(&(avrc_rsp.reg_notif), 0, sizeof(tAVRC_REG_NOTIF_RSP));
avrc_rsp.reg_notif.event_id = event_id;