Merge cherrypicks of [5317808, 5317809, 5318498, 5317873, 5318338, 5318195, 5318499, 5317874, 5317875, 5317876, 5318243, 5318244, 5318537, 5318538, 5318539, 5318540, 5318541, 5318542, 5318543, 5318544, 5318545, 5318546, 5315210, 5317756, 5318557, 5318558, 5318559, 5318560, 5318561, 5318339, 5318547, 5318548, 5318549, 5318562, 5318563, 5318564, 5318565, 5318566, 5318172, 5318173, 5318174, 5318550, 5318401, 5318196, 5317889, 5318175, 5318176, 5318577, 5318578, 5318579, 5318580, 5318581, 5318503, 5318390, 5318505, 5318341, 5318551] into pi-qpr1-release
Change-Id: I6df9d99838866ae835f25adc27afe9e29fc6a380
diff --git a/bta/ag/bta_ag_sdp.cc b/bta/ag/bta_ag_sdp.cc
index 8ff39fd..5ab1215 100644
--- a/bta/ag/bta_ag_sdp.cc
+++ b/bta/ag/bta_ag_sdp.cc
@@ -470,7 +470,6 @@
if (p_scb->hsp_version >= HSP_VERSION_1_2) {
uuid_list[0] = Uuid::From16Bit(UUID_SERVCLASS_HEADSET_HS);
- num_uuid = 2;
} else {
/* Legacy from HSP v1.0 */
uuid_list[0] = Uuid::From16Bit(UUID_SERVCLASS_HEADSET);
diff --git a/bta/hd/bta_hd_int.h b/bta/hd/bta_hd_int.h
index 4a48254..0748b67 100644
--- a/bta/hd/bta_hd_int.h
+++ b/bta/hd/bta_hd_int.h
@@ -66,7 +66,7 @@
#define BTA_HD_APP_NAME_LEN 50
#define BTA_HD_APP_DESCRIPTION_LEN 50
#define BTA_HD_APP_PROVIDER_LEN 50
-#define BTA_HD_APP_DESCRIPTOR_LEN 2048
+#define BTA_HD_APP_DESCRIPTOR_LEN HIDD_APP_DESCRIPTOR_LEN
#define BTA_HD_STATE_DISABLED 0x00
#define BTA_HD_STATE_ENABLED 0x01
diff --git a/btif/src/bluetooth.cc b/btif/src/bluetooth.cc
index 92a4092..dc59046 100644
--- a/btif/src/bluetooth.cc
+++ b/btif/src/bluetooth.cc
@@ -415,8 +415,32 @@
return btif_le_test_mode(opcode, buf, len);
}
+static bt_os_callouts_t* wakelock_os_callouts_saved = nullptr;
+
+static int acquire_wake_lock_cb(const char* lock_name) {
+ return do_in_jni_thread(
+ FROM_HERE, base::Bind(base::IgnoreResult(
+ wakelock_os_callouts_saved->acquire_wake_lock),
+ lock_name));
+}
+
+static int release_wake_lock_cb(const char* lock_name) {
+ return do_in_jni_thread(
+ FROM_HERE, base::Bind(base::IgnoreResult(
+ wakelock_os_callouts_saved->release_wake_lock),
+ lock_name));
+}
+
+static bt_os_callouts_t wakelock_os_callouts_jni = {
+ sizeof(wakelock_os_callouts_jni),
+ nullptr /* not used */,
+ acquire_wake_lock_cb,
+ release_wake_lock_cb,
+};
+
static int set_os_callouts(bt_os_callouts_t* callouts) {
- wakelock_set_os_callouts(callouts);
+ wakelock_os_callouts_saved = callouts;
+ wakelock_set_os_callouts(&wakelock_os_callouts_jni);
return BT_STATUS_SUCCESS;
}
diff --git a/stack/hid/hidd_api.cc b/stack/hid/hidd_api.cc
index 414cf74..f93511e 100644
--- a/stack/hid/hidd_api.cc
+++ b/stack/hid/hidd_api.cc
@@ -33,6 +33,7 @@
#include "hidd_api.h"
#include "hidd_int.h"
#include "hiddefs.h"
+#include "log/log.h"
tHID_DEV_CTB hd_cb;
@@ -293,7 +294,13 @@
uint8_t* p_buf;
uint8_t seq_len = 4 + desc_len;
- p_buf = (uint8_t*)osi_malloc(2048);
+ if (desc_len > HIDD_APP_DESCRIPTOR_LEN) {
+ HIDD_TRACE_ERROR("%s: descriptor length = %d, larger than max %d",
+ __func__, desc_len, HIDD_APP_DESCRIPTOR_LEN);
+ return HID_ERR_NOT_REGISTERED;
+ };
+
+ p_buf = (uint8_t*)osi_malloc(HIDD_APP_DESCRIPTOR_LEN + 6);
if (p_buf == NULL) {
HIDD_TRACE_ERROR("%s: Buffer allocation failure for size = 2048 ",
@@ -314,6 +321,10 @@
UINT8_TO_BE_STREAM(p, desc_len);
ARRAY_TO_BE_STREAM(p, p_desc_data, (int)desc_len);
+ if (desc_len > HIDD_APP_DESCRIPTOR_LEN - 6) {
+ android_errorWriteLog(0x534e4554, "113572366");
+ }
+
result &= SDP_AddAttribute(handle, ATTR_ID_HID_DESCRIPTOR_LIST,
DATA_ELE_SEQ_DESC_TYPE, p - p_buf, p_buf);
diff --git a/stack/include/hiddefs.h b/stack/include/hiddefs.h
index 8df616c..df01e7d 100644
--- a/stack/include/hiddefs.h
+++ b/stack/include/hiddefs.h
@@ -131,6 +131,8 @@
#define HID_SSR_PARAM_INVALID 0xffff
+#define HIDD_APP_DESCRIPTOR_LEN 2048
+
typedef struct sdp_info {
char svc_name[HID_MAX_SVC_NAME_LEN]; /*Service Name */
char svc_descr[HID_MAX_SVC_DESCR_LEN]; /*Service Description*/
diff --git a/stack/l2cap/l2c_fcr.cc b/stack/l2cap/l2c_fcr.cc
index b20b9c1..8326e4d 100644
--- a/stack/l2cap/l2c_fcr.cc
+++ b/stack/l2cap/l2c_fcr.cc
@@ -841,6 +841,14 @@
return;
}
+ if (sdu_length < p_buf->len) {
+ L2CAP_TRACE_ERROR("%s: Invalid sdu_length: %d", __func__, sdu_length);
+ android_errorWriteWithInfoLog(0x534e4554, "112321180", -1, NULL, 0);
+ /* Discard the buffer */
+ osi_free(p_buf);
+ return;
+ }
+
p_data = (BT_HDR*)osi_malloc(BT_HDR_SIZE + sdu_length);
if (p_data == NULL) {
osi_free(p_buf);
diff --git a/stack/sdp/sdp_discovery.cc b/stack/sdp/sdp_discovery.cc
index 8d662b8..95f55bf 100644
--- a/stack/sdp/sdp_discovery.cc
+++ b/stack/sdp/sdp_discovery.cc
@@ -280,6 +280,11 @@
uint16_t total, cur_handles, orig;
uint8_t cont_len;
+ if (p_reply + 8 > p_reply_end) {
+ android_errorWriteLog(0x534e4554, "74249842");
+ sdp_disconnect(p_ccb, SDP_GENERIC_ERROR);
+ return;
+ }
/* Skip transaction, and param len */
p_reply += 4;
BE_STREAM_TO_UINT16(total, p_reply);
@@ -298,6 +303,12 @@
if (p_ccb->num_handles > sdp_cb.max_recs_per_search)
p_ccb->num_handles = sdp_cb.max_recs_per_search;
+ if (p_reply + ((p_ccb->num_handles - orig) * 4) + 1 > p_reply_end) {
+ android_errorWriteLog(0x534e4554, "74249842");
+ sdp_disconnect(p_ccb, SDP_GENERIC_ERROR);
+ return;
+ }
+
for (xx = orig; xx < p_ccb->num_handles; xx++)
BE_STREAM_TO_UINT32(p_ccb->handles[xx], p_reply);
