| commit | bf98f204564cb67268adb21a5c06148d59d90456 | [log] [tgz] |
|---|---|---|
| author | Hui Peng <phui@google.com> | Thu Dec 01 06:17:36 2022 +0000 |
| committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | Tue Jan 17 20:09:33 2023 +0000 |
| tree | ef170d8abd2990dd65a7cadf43f38210313f384c | |
| parent | 7ad513b983389b194e419698da278c1c0481f46d [diff] |
Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc In A2DP_BuildCodecHeaderSbc when p_buf->offset is 0, the `-=` operation on it may result in integer underflow and OOB write with the computed pointer passed to A2DP_BuildMediaPayloadHeaderSbc. The regression test is I2e026025ce49a02280dfcacd08f4bfc1b5d12264 Bug: 186803518 Test: atest net_test_stack_a2dp_codecs_native Ignore-AOSP-First: security Merged-In: I45320085b1e458d3b0e0d86162a35aaaae7b34cb Change-Id: I45320085b1e458d3b0e0d86162a35aaaae7b34cb (cherry picked from commit b0d7d4e82902f15504ef4f2be4524b1913df5afe) Merged-In: I45320085b1e458d3b0e0d86162a35aaaae7b34cb
diff --git a/system/stack/a2dp/a2dp_sbc.cc b/system/stack/a2dp/a2dp_sbc.cc index c5d5a15..5a95099 100644 --- a/system/stack/a2dp/a2dp_sbc.cc +++ b/system/stack/a2dp/a2dp_sbc.cc
@@ -696,6 +696,11 @@ return false; } + // there is an 4-byte timestamp right following p_buf + if (p_buf->offset < 4 + A2DP_SBC_MPL_HDR_LEN) { + return false; + } + p_buf->offset -= A2DP_SBC_MPL_HDR_LEN; uint8_t* p = (uint8_t*)(p_buf + 1) + p_buf->offset; p_buf->len += A2DP_SBC_MPL_HDR_LEN;