Added max buffer length check

Bug: 230867224
Test: Manual -- paired Bluetooth headset and played audio
Tags: #security
Ignore-AOSP-First: Security
Change-Id: I6f70db549b3fbc7f958ee70c679db438e9538472
diff --git a/system/stack/avct/avct_lcb_act.cc b/system/stack/avct/avct_lcb_act.cc
index 6bbe9e6..fbbc1f1 100644
--- a/system/stack/avct/avct_lcb_act.cc
+++ b/system/stack/avct/avct_lcb_act.cc
@@ -68,7 +68,12 @@
   pkt_type = AVCT_PKT_TYPE(p);
 
   /* quick sanity check on length */
-  if (p_buf->len < avct_lcb_pkt_type_len[pkt_type]) {
+  if (p_buf->len < avct_lcb_pkt_type_len[pkt_type] ||
+      (sizeof(BT_HDR) + p_buf->offset + p_buf->len) > BT_DEFAULT_BUFFER_SIZE) {
+    if ((sizeof(BT_HDR) + p_buf->offset + p_buf->len) >
+        BT_DEFAULT_BUFFER_SIZE) {
+      android_errorWriteWithInfoLog(0x534e4554, "230867224", -1, NULL, 0);
+    }
     osi_free(p_buf);
     AVCT_TRACE_WARNING("Bad length during reassembly");
     p_ret = NULL;