Fix OOB read in avrc_ctrl_pars_vendor_rsp Bug: 78526423 Test: manual Change-Id: I0eeacc6a25b12f4b999098375d0d032cfa462a91 (cherry picked from commit d945ada503ed9c9ea24e092df51faba57f5d589a)

commit: 4c073ba3055442fd794e5c0a925c2a7a0b07de01 [log] [tgz]
author: Hansong Zhang <hsz@google.com> Mon Aug 06 14:40:37 2018 -0700
committer: Ryan Longair <rlongair@google.com> Wed Aug 15 13:24:40 2018 -0700
tree: 93b0a3aac4d79ef0c6d25a45abd8838fc96a433a
parent: 153be6d3af8332565a65074534e8440f3a102683 [diff]
diff --git a/stack/avrc/avrc_pars_ct.cc b/stack/avrc/avrc_pars_ct.cc
index fbfeeaf..081a06c 100644
--- a/stack/avrc/avrc_pars_ct.cc
+++ b/stack/avrc/avrc_pars_ct.cc

@@ -481,6 +481,11 @@
         break;
       }
       BE_STREAM_TO_UINT8(p_result->list_app_values.num_val, p);
+      if (p_result->list_app_values.num_val > AVRC_MAX_APP_ATTR_SIZE) {
+        android_errorWriteLog(0x534e4554, "78526423");
+        p_result->list_app_values.num_val = AVRC_MAX_APP_ATTR_SIZE;
+      }
+
       AVRC_TRACE_DEBUG("%s value count = %d ", __func__,
                        p_result->list_app_values.num_val);
       for (int xx = 0; xx < p_result->list_app_values.num_val; xx++) {
commit	4c073ba3055442fd794e5c0a925c2a7a0b07de01	[log] [tgz]
author	Hansong Zhang <hsz@google.com>	Mon Aug 06 14:40:37 2018 -0700
committer	Ryan Longair <rlongair@google.com>	Wed Aug 15 13:24:40 2018 -0700
tree	93b0a3aac4d79ef0c6d25a45abd8838fc96a433a
parent	153be6d3af8332565a65074534e8440f3a102683 [diff]