HIDD: Prevent integer underflow in bta_hd_act
Bug: 109757435
Bug: 109757168
Bug: 110846194
Bug: 109757986
Test: manual
Change-Id: I80a6f3f931ac7512f1ba801cc5d8de6ac04f3422
(cherry picked from commit 74a6392875166698b64b624d12b6d2e404b75d72)
diff --git a/bta/hd/bta_hd_act.cc b/bta/hd/bta_hd_act.cc
index 0886422..b8cdb7d 100644
--- a/bta/hd/bta_hd_act.cc
+++ b/bta/hd/bta_hd_act.cc
@@ -36,6 +36,7 @@
#include "bta_sys.h"
#include "btm_api.h"
+#include "log/log.h"
#include "osi/include/osi.h"
static void bta_hd_cback(const RawAddress& bd_addr, uint8_t event,
@@ -504,6 +505,10 @@
APPL_TRACE_API("%s", __func__);
if (bta_hd_cb.use_report_id || bta_hd_cb.boot_mode) {
+ if (len < 1) {
+ android_errorWriteLog(0x534e4554, "109757986");
+ return;
+ }
ret.report_id = *p_buf;
len--;
@@ -536,15 +541,31 @@
APPL_TRACE_API("%s", __func__);
+ uint16_t remaining_len = p_msg->len;
+ if (remaining_len < 1) {
+ android_errorWriteLog(0x534e4554, "109757168");
+ return;
+ }
+
ret.report_type = *p_buf & HID_PAR_REP_TYPE_MASK;
p_buf++;
+ remaining_len--;
if (bta_hd_cb.use_report_id) {
+ if (remaining_len < 1) {
+ android_errorWriteLog(0x534e4554, "109757168");
+ return;
+ }
ret.report_id = *p_buf;
p_buf++;
+ remaining_len--;
}
if (rep_size_follows) {
+ if (remaining_len < 2) {
+ android_errorWriteLog(0x534e4554, "109757168");
+ return;
+ }
ret.buffer_size = *p_buf | (*(p_buf + 1) << 8);
}
@@ -569,11 +590,19 @@
APPL_TRACE_API("%s", __func__);
+ if (len < 1) {
+ android_errorWriteLog(0x534e4554, "110846194");
+ return;
+ }
ret.report_type = *p_buf & HID_PAR_REP_TYPE_MASK;
p_buf++;
len--;
if (bta_hd_cb.use_report_id || bta_hd_cb.boot_mode) {
+ if (len < 1) {
+ android_errorWriteLog(0x534e4554, "109757435");
+ return;
+ }
ret.report_id = *p_buf;
len--;