DO NOT MERGE AVRC: Copy browse.p_browse_data in btif_av_event_deep_copy
p_msg_src->browse.p_browse_data is not copied, but used after the
original pointer is freed
Bug: 109699112
Test: manual
Change-Id: I1d014eb9a8911da6913173a9b11218bf1c89e16e
(cherry picked from commit 1d9a58768e6573899c7e80c2b3f52e22f2d8f58b)
diff --git a/btif/src/btif_av.cc b/btif/src/btif_av.cc
index 14d4444..0178e36 100644
--- a/btif/src/btif_av.cc
+++ b/btif/src/btif_av.cc
@@ -1180,6 +1180,14 @@
memcpy(p_msg_dest->vendor.p_vendor_data,
p_msg_src->vendor.p_vendor_data, p_msg_src->vendor.vendor_len);
}
+ if ((p_msg_src->hdr.opcode == AVRC_OP_BROWSE) &&
+ p_msg_src->browse.p_browse_data && p_msg_src->browse.browse_len) {
+ p_msg_dest->browse.p_browse_data =
+ (uint8_t*)osi_calloc(p_msg_src->browse.browse_len);
+ memcpy(p_msg_dest->browse.p_browse_data,
+ p_msg_src->browse.p_browse_data, p_msg_src->browse.browse_len);
+ android_errorWriteLog(0x534e4554, "109699112");
+ }
}
break;
@@ -1198,6 +1206,9 @@
if (av->meta_msg.p_msg->hdr.opcode == AVRC_OP_VENDOR) {
osi_free(av->meta_msg.p_msg->vendor.p_vendor_data);
}
+ if (av->meta_msg.p_msg->hdr.opcode == AVRC_OP_BROWSE) {
+ osi_free(av->meta_msg.p_msg->browse.p_browse_data);
+ }
osi_free_and_reset((void**)&av->meta_msg.p_msg);
}
} break;