Snap for 9157512 from 1e15c09009012f8824c625f23aa4a51ce9a94087 to mainline-tzdata3-release
Change-Id: Id28b3c593cd7ba16df93edcb1f9064382519c08e
diff --git a/btif/src/bluetooth.cc b/btif/src/bluetooth.cc
index a72f787..e684c12 100644
--- a/btif/src/bluetooth.cc
+++ b/btif/src/bluetooth.cc
@@ -359,11 +359,14 @@
static int pin_reply(const RawAddress* bd_addr, uint8_t accept, uint8_t pin_len,
bt_pin_code_t* pin_code) {
+ bt_pin_code_t tmp_pin_code;
+ /* sanity check */
if (!interface_ready()) return BT_STATUS_NOT_READY;
if (pin_code == nullptr || pin_len > PIN_CODE_LEN) return BT_STATUS_FAIL;
+ memcpy(&tmp_pin_code, pin_code, pin_len);
do_in_main_thread(FROM_HERE, base::BindOnce(btif_dm_pin_reply, *bd_addr,
- accept, pin_len, *pin_code));
+ accept, pin_len, tmp_pin_code));
return BT_STATUS_SUCCESS;
}
diff --git a/stack/avct/avct_lcb_act.cc b/stack/avct/avct_lcb_act.cc
index 9e32ee4..1b41978 100644
--- a/stack/avct/avct_lcb_act.cc
+++ b/stack/avct/avct_lcb_act.cc
@@ -67,7 +67,12 @@
pkt_type = AVCT_PKT_TYPE(p);
/* quick sanity check on length */
- if (p_buf->len < avct_lcb_pkt_type_len[pkt_type]) {
+ if (p_buf->len < avct_lcb_pkt_type_len[pkt_type] ||
+ (sizeof(BT_HDR) + p_buf->offset + p_buf->len) > BT_DEFAULT_BUFFER_SIZE) {
+ if ((sizeof(BT_HDR) + p_buf->offset + p_buf->len) >
+ BT_DEFAULT_BUFFER_SIZE) {
+ android_errorWriteWithInfoLog(0x534e4554, "230867224", -1, NULL, 0);
+ }
osi_free(p_buf);
AVCT_TRACE_WARNING("Bad length during reassembly");
p_ret = NULL;
@@ -88,13 +93,19 @@
if (p_lcb->p_rx_msg != NULL)
AVCT_TRACE_WARNING("Got start during reassembly");
- osi_free(p_lcb->p_rx_msg);
+ osi_free_and_reset((void**)&p_lcb->p_rx_msg);
/*
* Allocate bigger buffer for reassembly. As lower layers are
* not aware of possible packet size after reassembly, they
* would have allocated smaller buffer.
*/
+ if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) {
+ android_errorWriteLog(0x534e4554, "232023771");
+ osi_free(p_buf);
+ p_ret = NULL;
+ return p_ret;
+ }
p_lcb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
memcpy(p_lcb->p_rx_msg, p_buf, sizeof(BT_HDR) + p_buf->offset + p_buf->len);
diff --git a/stack/avdt/avdt_msg.cc b/stack/avdt/avdt_msg.cc
index bb49ede..d0c5434 100644
--- a/stack/avdt/avdt_msg.cc
+++ b/stack/avdt/avdt_msg.cc
@@ -1250,6 +1250,12 @@
* not aware of possible packet size after reassembly, they
* would have allocated smaller buffer.
*/
+ if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) {
+ android_errorWriteLog(0x534e4554, "232023771");
+ osi_free(p_buf);
+ p_ret = NULL;
+ return p_ret;
+ }
p_ccb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
memcpy(p_ccb->p_rx_msg, p_buf, sizeof(BT_HDR) + p_buf->offset + p_buf->len);
diff --git a/stack/avdt/avdt_scb_act.cc b/stack/avdt/avdt_scb_act.cc
index 8129344..2ffca86 100644
--- a/stack/avdt/avdt_scb_act.cc
+++ b/stack/avdt/avdt_scb_act.cc
@@ -310,7 +310,7 @@
uint8_t* p_start = p;
uint32_t ssrc;
uint8_t o_v, o_p, o_cc;
- uint16_t min_len = 0;
+ uint32_t min_len = 0;
AVDT_REPORT_TYPE pt;
tAVDT_REPORT_DATA report;
diff --git a/stack/avrc/avrc_pars_ct.cc b/stack/avrc/avrc_pars_ct.cc
index 0555af0..2d6f8b2 100644
--- a/stack/avrc/avrc_pars_ct.cc
+++ b/stack/avrc/avrc_pars_ct.cc
@@ -141,7 +141,7 @@
tAVRC_STS avrc_parse_notification_rsp(uint8_t* p_stream, uint16_t len,
tAVRC_REG_NOTIF_RSP* p_rsp) {
- uint16_t min_len = 1;
+ uint32_t min_len = 1;
if (len < min_len) goto length_error;
BE_STREAM_TO_UINT8(p_rsp->event_id, p_stream);
@@ -237,7 +237,7 @@
}
BE_STREAM_TO_UINT8(pdu, p);
uint16_t pkt_len;
- int min_len = 0;
+ uint32_t min_len = 0;
/* read the entire packet len */
BE_STREAM_TO_UINT16(pkt_len, p);
@@ -279,7 +279,7 @@
get_item_rsp->uid_counter, get_item_rsp->item_count);
/* get each of the items */
- get_item_rsp->p_item_list = (tAVRC_ITEM*)osi_malloc(
+ get_item_rsp->p_item_list = (tAVRC_ITEM*)osi_calloc(
get_item_rsp->item_count * (sizeof(tAVRC_ITEM)));
tAVRC_ITEM* curr_item = get_item_rsp->p_item_list;
for (int i = 0; i < get_item_rsp->item_count; i++) {
@@ -369,7 +369,7 @@
__func__, media->type, media->name.charset_id,
media->name.str_len, media->attr_count);
- media->p_attr_list = (tAVRC_ATTR_ENTRY*)osi_malloc(
+ media->p_attr_list = (tAVRC_ATTR_ENTRY*)osi_calloc(
media->attr_count * sizeof(tAVRC_ATTR_ENTRY));
for (int jk = 0; jk < media->attr_count; jk++) {
tAVRC_ATTR_ENTRY* attr_entry = &(media->p_attr_list[jk]);
@@ -435,7 +435,7 @@
}
BE_STREAM_TO_UINT8(get_attr_rsp->status, p)
BE_STREAM_TO_UINT8(get_attr_rsp->num_attrs, p);
- get_attr_rsp->p_attrs = (tAVRC_ATTR_ENTRY*)osi_malloc(
+ get_attr_rsp->p_attrs = (tAVRC_ATTR_ENTRY*)osi_calloc(
get_attr_rsp->num_attrs * sizeof(tAVRC_ATTR_ENTRY));
for (int i = 0; i < get_attr_rsp->num_attrs; i++) {
tAVRC_ATTR_ENTRY* attr_entry = &(get_attr_rsp->p_attrs[i]);
@@ -481,7 +481,7 @@
__func__, set_br_pl_rsp->status, set_br_pl_rsp->num_items,
set_br_pl_rsp->charset_id, set_br_pl_rsp->folder_depth);
- set_br_pl_rsp->p_folders = (tAVRC_NAME*)osi_malloc(
+ set_br_pl_rsp->p_folders = (tAVRC_NAME*)osi_calloc(
set_br_pl_rsp->folder_depth * sizeof(tAVRC_NAME));
/* Read each of the folder in the depth */
@@ -541,7 +541,7 @@
p++; /* skip the reserved/packe_type byte */
uint16_t len;
- uint16_t min_len = 0;
+ uint32_t min_len = 0;
BE_STREAM_TO_UINT16(len, p);
AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d vendor_len=0x%x", __func__,
p_msg->hdr.ctype, p_result->pdu, len, p_msg->vendor_len);
diff --git a/stack/avrc/avrc_pars_tg.cc b/stack/avrc/avrc_pars_tg.cc
index 98a6495..22e32d4 100644
--- a/stack/avrc/avrc_pars_tg.cc
+++ b/stack/avrc/avrc_pars_tg.cc
@@ -444,7 +444,7 @@
uint8_t* p = p_msg->p_browse_data;
int count;
- uint16_t min_len = 3;
+ uint32_t min_len = 3;
RETURN_STATUS_IF_FALSE(AVRC_STS_BAD_CMD, (p_msg->browse_len >= min_len),
"msg too short");
diff --git a/stack/bnep/bnep_api.cc b/stack/bnep/bnep_api.cc
index 455dc16..0996370 100644
--- a/stack/bnep/bnep_api.cc
+++ b/stack/bnep/bnep_api.cc
@@ -256,6 +256,7 @@
p = (uint8_t*)(p_bcb->p_pending_data + 1) + p_bcb->p_pending_data->offset;
while (extension_present && p && rem_len) {
ext_type = *p++;
+ rem_len--;
extension_present = ext_type >> 7;
ext_type &= 0x7F;
diff --git a/stack/sdp/sdp_discovery.cc b/stack/sdp/sdp_discovery.cc
index e607540..fc53fc7 100644
--- a/stack/sdp/sdp_discovery.cc
+++ b/stack/sdp/sdp_discovery.cc
@@ -282,7 +282,7 @@
orig = p_ccb->num_handles;
p_ccb->num_handles += cur_handles;
- if (p_ccb->num_handles == 0) {
+ if (p_ccb->num_handles == 0 || p_ccb->num_handles < orig) {
SDP_TRACE_WARNING("SDP - Rcvd ServiceSearchRsp, no matches");
sdp_disconnect(p_ccb, SDP_NO_RECS_MATCH);
return;
diff --git a/stack/test/stack_avrcp_test.cc b/stack/test/stack_avrcp_test.cc
index 72ec45f..e731e98 100644
--- a/stack/test/stack_avrcp_test.cc
+++ b/stack/test/stack_avrcp_test.cc
@@ -27,6 +27,56 @@
virtual ~StackAvrcpTest() = default;
};
+TEST_F(StackAvrcpTest, test_avrcp_ctrl_parse_vendor_rsp) {
+ uint8_t scratch_buf[512]{};
+ uint16_t scratch_buf_len = 512;
+ tAVRC_MSG msg{};
+ tAVRC_RESPONSE result{};
+ uint8_t vendor_rsp_buf[512]{};
+
+ msg.hdr.opcode = AVRC_OP_VENDOR;
+ msg.hdr.ctype = AVRC_CMD_STATUS;
+
+ memset(vendor_rsp_buf, 0, sizeof(vendor_rsp_buf));
+ vendor_rsp_buf[0] = AVRC_PDU_GET_ELEMENT_ATTR;
+ uint8_t* p = &vendor_rsp_buf[2];
+ UINT16_TO_BE_STREAM(p, 0x0009); // parameter length
+ UINT8_TO_STREAM(p, 0x01); // number of attributes
+ UINT32_TO_STREAM(p, 0x00000000); // attribute ID
+ UINT16_TO_STREAM(p, 0x0000); // character set ID
+ UINT16_TO_STREAM(p, 0xffff); // attribute value length
+ msg.vendor.p_vendor_data = vendor_rsp_buf;
+ msg.vendor.vendor_len = 13;
+ EXPECT_EQ(
+ AVRC_Ctrl_ParsResponse(&msg, &result, scratch_buf, &scratch_buf_len),
+ AVRC_STS_INTERNAL_ERR);
+}
+
+TEST_F(StackAvrcpTest, test_avrcp_parse_browse_rsp) {
+ uint8_t scratch_buf[512]{};
+ uint16_t scratch_buf_len = 512;
+ tAVRC_MSG msg{};
+ tAVRC_RESPONSE result{};
+ uint8_t browse_rsp_buf[512]{};
+
+ msg.hdr.opcode = AVRC_OP_BROWSE;
+
+ memset(browse_rsp_buf, 0, sizeof(browse_rsp_buf));
+ browse_rsp_buf[0] = AVRC_PDU_GET_ITEM_ATTRIBUTES;
+ uint8_t* p = &browse_rsp_buf[1];
+ UINT16_TO_BE_STREAM(p, 0x000a); // parameter length;
+ UINT8_TO_STREAM(p, 0x04); // status
+ UINT8_TO_STREAM(p, 0x01); // number of attribute
+ UINT32_TO_STREAM(p, 0x00000000); // attribute ID
+ UINT16_TO_STREAM(p, 0x0000); // character set ID
+ UINT16_TO_STREAM(p, 0xffff); // attribute value length
+ msg.browse.p_browse_data = browse_rsp_buf;
+ msg.browse.browse_len = 13;
+ EXPECT_EQ(
+ AVRC_Ctrl_ParsResponse(&msg, &result, scratch_buf, &scratch_buf_len),
+ AVRC_STS_BAD_CMD);
+}
+
TEST_F(StackAvrcpTest, test_avrcp_parse_browse_cmd) {
uint8_t scratch_buf[512]{};
tAVRC_MSG msg{};