Add missing AVRCP message length checks inside avrc_msg_cback

Explicitly check the length of the received message before
accessing the data.

Bug: 111803925
Bug: 79883824
Test: POC scripts
Change-Id: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
Merged-In: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
(cherry picked from commit 282deb3e27407aaa88b8ddbdbd7bb7d56ddc635f)
(cherry picked from commit 007868d05f4b761842c7345161aeda6fd40dd245)
diff --git a/stack/avrc/avrc_api.cc b/stack/avrc/avrc_api.cc
index 69534e9..53c25a9 100644
--- a/stack/avrc/avrc_api.cc
+++ b/stack/avrc/avrc_api.cc
@@ -24,6 +24,8 @@
 #include <base/logging.h>
 #include <string.h>
 
+#include <log/log.h>
+
 #include "avrc_api.h"
 #include "avrc_int.h"
 #include "bt_common.h"
@@ -660,6 +662,13 @@
     msg.browse.browse_len = p_pkt->len;
     msg.browse.p_browse_pkt = p_pkt;
   } else {
+    if (p_pkt->len < AVRC_AVC_HDR_SIZE) {
+      android_errorWriteLog(0x534e4554, "111803925");
+      AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d",
+                         __func__, p_pkt->len, AVRC_AVC_HDR_SIZE);
+      osi_free(p_pkt);
+      return;
+    }
     msg.hdr.ctype = p_data[0] & AVRC_CTYPE_MASK;
     AVRC_TRACE_DEBUG("%s handle:%d, ctype:%d, offset:%d, len: %d", __func__,
                      handle, msg.hdr.ctype, p_pkt->offset, p_pkt->len);
@@ -693,6 +702,15 @@
           p_drop_msg = "auto respond";
         } else {
           /* parse response */
+          if (p_pkt->len < AVRC_OP_UNIT_INFO_RSP_LEN) {
+            AVRC_TRACE_WARNING(
+                "%s: message length %d too short: must be at least %d",
+                __func__, p_pkt->len, AVRC_OP_UNIT_INFO_RSP_LEN);
+            android_errorWriteLog(0x534e4554, "79883824");
+            drop = true;
+            p_drop_msg = "UNIT_INFO_RSP too short";
+            break;
+          }
           p_data += 4; /* 3 bytes: ctype, subunit*, opcode + octet 3 (is 7)*/
           msg.unit.unit_type =
               (*p_data & AVRC_SUBTYPE_MASK) >> AVRC_SUBTYPE_SHIFT;
@@ -722,6 +740,15 @@
           p_drop_msg = "auto responded";
         } else {
           /* parse response */
+          if (p_pkt->len < AVRC_OP_SUB_UNIT_INFO_RSP_LEN) {
+            AVRC_TRACE_WARNING(
+                "%s: message length %d too short: must be at least %d",
+                __func__, p_pkt->len, AVRC_OP_SUB_UNIT_INFO_RSP_LEN);
+            android_errorWriteLog(0x534e4554, "79883824");
+            drop = true;
+            p_drop_msg = "SUB_UNIT_INFO_RSP too short";
+            break;
+          }
           p_data += AVRC_AVC_HDR_SIZE; /* 3 bytes: ctype, subunit*, opcode */
           msg.sub.page =
               (*p_data++ >> AVRC_SUB_PAGE_SHIFT) & AVRC_SUB_PAGE_MASK;