commit d1d0901233c8004406da87b842fa258ab5ada2f4
author Android Build Coastguard Worker <android-build-coastguard-worker@google.com> Fri May 13 20:37:48 2022 +0000
committer Android Build Coastguard Worker <android-build-coastguard-worker@google.com> Fri May 13 20:37:48 2022 +0000
tree 40bb0f0b635a24929aadcabb48658fec246619ca
parent fc40c99fcf7710a755020b953f4d455ff7de2c19
parent 6e119593bee3ce822ba917d0aba542ae9c554c67

Merge cherrypicks of [17777241, 17777138, 18119099, 18030838] into security-aosp-sc-release.

Change-Id: I804a4db5a6b55d1dea35ecb7312b63399eb0e066

bta/hf_client/bta_hf_client_at.cc

diff --git a/bta/hf_client/bta_hf_client_at.cc b/bta/hf_client/bta_hf_client_at.cc
index 721bbbc..0392a4d 100644
--- a/bta/hf_client/bta_hf_client_at.cc
+++ b/bta/hf_client/bta_hf_client_at.cc
@@ -333,6 +333,10 @@
 
   APPL_TRACE_DEBUG("%s: %lu.%s <%lu:%lu>", __func__, index, name, min, max);
 
+  if (index >= BTA_HF_CLIENT_AT_INDICATOR_COUNT) {
+    return;
+  }
+
   /* look for a matching indicator on list of supported ones */
   for (i = 0; i < BTA_HF_CLIENT_AT_SUPPORTED_INDICATOR_COUNT; i++) {
     if (strcmp(name, BTA_HF_CLIENT_INDICATOR_SERVICE) == 0) {
@@ -812,9 +816,9 @@
   } while (0)
 
 /* skip rest of AT string up to <cr> */
-#define AT_SKIP_REST(buf)           \
-  do {                              \
-    while (*(buf) != '\r') (buf)++; \
+#define AT_SKIP_REST(buf)                             \
+  do {                                                \
+    while (*(buf) != '\r' && *(buf) != '\0') (buf)++; \
   } while (0)
 
 static char* bta_hf_client_parse_ok(tBTA_HF_CLIENT_CB* client_cb,

stack/avrc/avrc_pars_tg.cc

diff --git a/stack/avrc/avrc_pars_tg.cc b/stack/avrc/avrc_pars_tg.cc
index c59c18d..98a6495 100644
--- a/stack/avrc/avrc_pars_tg.cc
+++ b/stack/avrc/avrc_pars_tg.cc
@@ -44,6 +44,12 @@
                                            tAVRC_COMMAND* p_result) {
   tAVRC_STS status = AVRC_STS_NO_ERROR;
 
+  if (p_msg->vendor_len < 4) {  // 4 == pdu + reserved byte + len as uint16
+    AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 4",
+                       __func__, p_msg->vendor_len);
+    android_errorWriteLog(0x534e4554, "205571133");
+    return AVRC_STS_INTERNAL_ERR;
+  }
   uint8_t* p = p_msg->p_vendor_data;
   p_result->pdu = *p++;
   AVRC_TRACE_DEBUG("%s pdu:0x%x", __func__, p_result->pdu);

stack/gatt/gatt_db.cc

diff --git a/stack/gatt/gatt_db.cc b/stack/gatt/gatt_db.cc
index f7d18e4..6353c28 100644
--- a/stack/gatt/gatt_db.cc
+++ b/stack/gatt/gatt_db.cc
@@ -27,6 +27,7 @@
 #include "bt_trace.h"
 #include "bt_utils.h"
 
+#include <log/log.h>
 #include <stdio.h>
 #include <string.h>
 #include "gatt_int.h"
@@ -237,6 +238,12 @@
     uint16_t char_ext_prop =
         attr16.p_value ? attr16.p_value->char_ext_prop : 0x0000;
     *p_len = 2;
+
+    if (mtu < *p_len) {
+      android_errorWriteWithInfoLog(0x534e4554, "228078096", -1, NULL, 0);
+      return GATT_NO_RESOURCES;
+    }
+
     UINT16_TO_STREAM(p, char_ext_prop);
     *p_data = p;
     return GATT_SUCCESS;