Merge cherrypicks of [3661626, 3661980, 3662429, 3661545, 3661546, 3661579, 3661580, 3662430, 3661547, 3661548, 3661549, 3661550, 3662578, 3662579, 3662580, 3662581, 3662582, 3662583, 3661597, 3661598, 3661551, 3661552, 3661553, 3661554, 3661555, 3662596, 3662597, 3662598, 3662599, 3662584, 3662585, 3662586, 3662616, 3662617, 3662618] into oc-m4-release Change-Id: I725e9b7e0aaa0d5767b92f0096d2a5691d2af035

commit: c851de169dfb9df6c8d37324b7af5ffde4456aeb [log] [tgz]
author: android-build-team Robot <android-build-team-robot@google.com> Mon Feb 26 23:53:31 2018 +0000
committer: android-build-team Robot <android-build-team-robot@google.com> Mon Feb 26 23:53:31 2018 +0000
tree: 0a9b2cb6ae5da5a626d273eb5e7d957df1a4b468
parent: 044d7d2b7f08261548dee0d974e546f1dd441731 [diff]
parent: eb8771e52f9ea39a9b1144a270d351c644f19850 [diff]
diff --git a/osi/src/config.cc b/osi/src/config.cc
index 1019721..fc64d47 100644
--- a/osi/src/config.cc
+++ b/osi/src/config.cc

@@ -34,6 +34,7 @@
 #include "osi/include/allocator.h"
 #include "osi/include/list.h"
 #include "osi/include/log.h"
+#include "log/log.h"
 
 typedef struct {
   char* key;
@@ -217,17 +218,27 @@
     list_append(config->sections, sec);
   }
 
+  std::string value_string = value;
+  std::string value_no_newline;
+  size_t newline_position = value_string.find("\n");
+  if (newline_position != std::string::npos) {
+    android_errorWriteLog(0x534e4554, "70808273");
+    value_no_newline = value_string.substr(0, newline_position);
+  } else {
+    value_no_newline = value_string;
+  }
+
   for (const list_node_t* node = list_begin(sec->entries);
        node != list_end(sec->entries); node = list_next(node)) {
     entry_t* entry = static_cast<entry_t*>(list_node(node));
     if (!strcmp(entry->key, key)) {
       osi_free(entry->value);
-      entry->value = osi_strdup(value);
+      entry->value = osi_strdup(value_no_newline.c_str());
       return;
     }
   }
 
-  entry_t* entry = entry_new(key, value);
+  entry_t* entry = entry_new(key, value_no_newline.c_str());
   list_append(sec->entries, entry);
 }
 

diff --git a/stack/avrc/avrc_pars_ct.cc b/stack/avrc/avrc_pars_ct.cc
index 144c778..3343624 100644
--- a/stack/avrc/avrc_pars_ct.cc
+++ b/stack/avrc/avrc_pars_ct.cc

@@ -22,6 +22,7 @@
 #include "avrc_int.h"
 #include "bt_common.h"
 #include "bt_utils.h"
+#include "log/log.h"
 #include "osi/include/osi.h"
 
 /*****************************************************************************
@@ -459,6 +460,12 @@
       BE_STREAM_TO_UINT8(p_result->list_app_attr.num_attr, p);
       AVRC_TRACE_DEBUG("%s attr count = %d ", __func__,
                        p_result->list_app_attr.num_attr);
+
+      if (p_result->list_app_attr.num_attr > AVRC_MAX_APP_ATTR_SIZE) {
+        android_errorWriteLog(0x534e4554, "63146237");
+        p_result->list_app_attr.num_attr = AVRC_MAX_APP_ATTR_SIZE;
+      }
+
       for (int xx = 0; xx < p_result->list_app_attr.num_attr; xx++) {
         BE_STREAM_TO_UINT8(p_result->list_app_attr.attrs[xx], p);
       }
@@ -487,6 +494,12 @@
           p_result->get_cur_app_val.num_val * sizeof(tAVRC_APP_SETTING));
       AVRC_TRACE_DEBUG("%s attr count = %d ", __func__,
                        p_result->get_cur_app_val.num_val);
+
+      if (p_result->get_cur_app_val.num_val > AVRC_MAX_APP_ATTR_SIZE) {
+        android_errorWriteLog(0x534e4554, "63146237");
+        p_result->get_cur_app_val.num_val = AVRC_MAX_APP_ATTR_SIZE;
+      }
+
       for (int xx = 0; xx < p_result->get_cur_app_val.num_val; xx++) {
         BE_STREAM_TO_UINT8(app_sett[xx].attr_id, p);
         BE_STREAM_TO_UINT8(app_sett[xx].attr_val, p);
@@ -495,7 +508,6 @@
     } break;
 
     case AVRC_PDU_GET_PLAYER_APP_ATTR_TEXT: {
-      tAVRC_APP_SETTING_TEXT* p_setting_text;
       uint8_t num_attrs;
 
       if (len == 0) {
@@ -503,10 +515,14 @@
         break;
       }
       BE_STREAM_TO_UINT8(num_attrs, p);
+      if (num_attrs > AVRC_MAX_APP_ATTR_SIZE) {
+        num_attrs = AVRC_MAX_APP_ATTR_SIZE;
+      }
       AVRC_TRACE_DEBUG("%s attr count = %d ", __func__,
                        p_result->get_app_attr_txt.num_attr);
       p_result->get_app_attr_txt.num_attr = num_attrs;
-      p_setting_text = (tAVRC_APP_SETTING_TEXT*)osi_malloc(
+
+      p_result->get_app_attr_txt.p_attrs = (tAVRC_APP_SETTING_TEXT*)osi_malloc(
           num_attrs * sizeof(tAVRC_APP_SETTING_TEXT));
       for (int xx = 0; xx < num_attrs; xx++) {
         BE_STREAM_TO_UINT8(p_result->get_app_attr_txt.p_attrs[xx].attr_id, p);
@@ -526,7 +542,6 @@
     } break;
 
     case AVRC_PDU_GET_PLAYER_APP_VALUE_TEXT: {
-      tAVRC_APP_SETTING_TEXT* p_setting_text;
       uint8_t num_vals;
 
       if (len == 0) {
@@ -534,11 +549,14 @@
         break;
       }
       BE_STREAM_TO_UINT8(num_vals, p);
+      if (num_vals > AVRC_MAX_APP_ATTR_SIZE) {
+        num_vals = AVRC_MAX_APP_ATTR_SIZE;
+      }
       p_result->get_app_val_txt.num_attr = num_vals;
       AVRC_TRACE_DEBUG("%s value count = %d ", __func__,
                        p_result->get_app_val_txt.num_attr);
 
-      p_setting_text = (tAVRC_APP_SETTING_TEXT*)osi_malloc(
+      p_result->get_app_val_txt.p_attrs = (tAVRC_APP_SETTING_TEXT*)osi_malloc(
           num_vals * sizeof(tAVRC_APP_SETTING_TEXT));
       for (int i = 0; i < num_vals; i++) {
         BE_STREAM_TO_UINT8(p_result->get_app_val_txt.p_attrs[i].attr_id, p);

diff --git a/stack/avrc/avrc_pars_tg.cc b/stack/avrc/avrc_pars_tg.cc
index 1ed6963..12b7598 100644
--- a/stack/avrc/avrc_pars_tg.cc
+++ b/stack/avrc/avrc_pars_tg.cc

@@ -220,6 +220,11 @@
               p_result->get_app_val_txt.num_val)
             status = AVRC_STS_INTERNAL_ERR;
           else {
+            if (p_result->get_app_val_txt.num_val > AVRC_MAX_APP_ATTR_SIZE) {
+              android_errorWriteLog(0x534e4554, "63146237");
+              p_result->get_app_val_txt.num_val = AVRC_MAX_APP_ATTR_SIZE;
+            }
+
             p_u8 = p_result->get_app_val_txt.vals;
             for (xx = 0; xx < p_result->get_app_val_txt.num_val; xx++) {
               p_u8[xx] = *p++;
@@ -492,8 +497,11 @@
       BE_STREAM_TO_UINT16(p_result->search.string.str_len, p);
       p_result->search.string.p_str = p_buf;
       if (p_buf) {
-        if (buf_len > p_result->search.string.str_len)
-          buf_len = p_result->search.string.str_len;
+        if (p_result->search.string.str_len > buf_len) {
+          p_result->search.string.str_len = buf_len;
+        } else {
+          android_errorWriteLog(0x534e4554, "63146237");
+        }
         BE_STREAM_TO_ARRAY(p, p_buf, p_result->search.string.str_len);
       } else {
         status = AVRC_STS_INTERNAL_ERR;

diff --git a/stack/sdp/sdp_server.cc b/stack/sdp/sdp_server.cc
index b18f429..e4ed60a 100644
--- a/stack/sdp/sdp_server.cc
+++ b/stack/sdp/sdp_server.cc

@@ -24,7 +24,6 @@
  ******************************************************************************/
 
 #include <cutils/log.h>
-
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -54,7 +53,7 @@
 /******************************************************************************/
 static void process_service_search(tCONN_CB* p_ccb, uint16_t trans_num,
                                    uint16_t param_len, uint8_t* p_req,
-                                   UNUSED_ATTR uint8_t* p_req_end);
+                                   uint8_t* p_req_end);
 
 static void process_service_attr_req(tCONN_CB* p_ccb, uint16_t trans_num,
                                      uint16_t param_len, uint8_t* p_req,
@@ -62,7 +61,7 @@
 
 static void process_service_search_attr_req(tCONN_CB* p_ccb, uint16_t trans_num,
                                             uint16_t param_len, uint8_t* p_req,
-                                            UNUSED_ATTR uint8_t* p_req_end);
+                                            uint8_t* p_req_end);
 
 /******************************************************************************/
 /*                E R R O R   T E X T   S T R I N G S                         */
@@ -123,11 +122,25 @@
   alarm_set_on_mloop(p_ccb->sdp_conn_timer, SDP_INACT_TIMEOUT_MS,
                      sdp_conn_timer_timeout, p_ccb);
 
+  if (p_req + sizeof(pdu_id) + sizeof(trans_num) > p_req_end) {
+    android_errorWriteLog(0x534e4554, "69384124");
+    trans_num = 0;
+    sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX,
+                            SDP_TEXT_BAD_HEADER);
+  }
+
   /* The first byte in the message is the pdu type */
   pdu_id = *p_req++;
 
   /* Extract the transaction number and parameter length */
   BE_STREAM_TO_UINT16(trans_num, p_req);
+
+  if (p_req + sizeof(param_len) > p_req_end) {
+    android_errorWriteLog(0x534e4554, "69384124");
+    sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX,
+                            SDP_TEXT_BAD_HEADER);
+  }
+
   BE_STREAM_TO_UINT16(param_len, p_req);
 
   if ((p_req + param_len) != p_req_end) {
@@ -171,7 +184,7 @@
  ******************************************************************************/
 static void process_service_search(tCONN_CB* p_ccb, uint16_t trans_num,
                                    uint16_t param_len, uint8_t* p_req,
-                                   UNUSED_ATTR uint8_t* p_req_end) {
+                                   uint8_t* p_req_end) {
   uint16_t max_replies, cur_handles, rem_handles, cont_offset;
   tSDP_UUID_SEQ uid_seq;
   uint8_t *p_rsp, *p_rsp_start, *p_rsp_param_len;
@@ -189,15 +202,15 @@
   }
 
   /* Get the max replies we can send. Cap it at our max anyways. */
-  BE_STREAM_TO_UINT16(max_replies, p_req);
-
-  if (max_replies > SDP_MAX_RECORDS) max_replies = SDP_MAX_RECORDS;
-
-  if ((!p_req) || (p_req > p_req_end)) {
+  if (p_req + sizeof(max_replies) + sizeof(uint8_t) > p_req_end) {
+    android_errorWriteLog(0x534e4554, "69384124");
     sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX,
                             SDP_TEXT_BAD_MAX_RECORDS_LIST);
     return;
   }
+  BE_STREAM_TO_UINT16(max_replies, p_req);
+
+  if (max_replies > SDP_MAX_RECORDS) max_replies = SDP_MAX_RECORDS;
 
   /* Get a list of handles that match the UUIDs given to us */
   for (num_rsp_handles = 0; num_rsp_handles < max_replies;) {
@@ -211,7 +224,8 @@
 
   /* Check if this is a continuation request */
   if (*p_req) {
-    if (*p_req++ != SDP_CONTINUATION_LEN || (p_req >= p_req_end)) {
+    if (*p_req++ != SDP_CONTINUATION_LEN ||
+        (p_req + sizeof(cont_offset) > p_req_end)) {
       sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE,
                               SDP_TEXT_BAD_CONT_LEN);
       return;
@@ -310,15 +324,16 @@
   bool is_cont = false;
   uint16_t attr_len;
 
-  /* Extract the record handle */
-  BE_STREAM_TO_UINT32(rec_handle, p_req);
-
-  if (p_req > p_req_end) {
+  if (p_req + sizeof(rec_handle) + sizeof(max_list_len) > p_req_end) {
+    android_errorWriteLog(0x534e4554, "69384124");
     sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_SERV_REC_HDL,
                             SDP_TEXT_BAD_HANDLE);
     return;
   }
 
+  /* Extract the record handle */
+  BE_STREAM_TO_UINT32(rec_handle, p_req);
+
   /* Get the max list length we can send. Cap it at MTU size minus overhead */
   BE_STREAM_TO_UINT16(max_list_len, p_req);
 
@@ -327,7 +342,8 @@
 
   p_req = sdpu_extract_attr_seq(p_req, param_len, &attr_seq);
 
-  if ((!p_req) || (!attr_seq.num_attr) || (p_req > p_req_end)) {
+  if ((!p_req) || (!attr_seq.num_attr) ||
+      (p_req + sizeof(uint8_t) > p_req_end)) {
     sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX,
                             SDP_TEXT_BAD_ATTR_LIST);
     return;
@@ -355,7 +371,8 @@
 
   /* Check if this is a continuation request */
   if (*p_req) {
-    if (*p_req++ != SDP_CONTINUATION_LEN) {
+    if (*p_req++ != SDP_CONTINUATION_LEN ||
+        (p_req + sizeof(cont_offset) > p_req_end)) {
       sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE,
                               SDP_TEXT_BAD_CONT_LEN);
       return;
@@ -520,7 +537,7 @@
  ******************************************************************************/
 static void process_service_search_attr_req(tCONN_CB* p_ccb, uint16_t trans_num,
                                             uint16_t param_len, uint8_t* p_req,
-                                            UNUSED_ATTR uint8_t* p_req_end) {
+                                            uint8_t* p_req_end) {
   uint16_t max_list_len;
   int16_t rem_len;
   uint16_t len_to_send, cont_offset;
@@ -537,7 +554,8 @@
   /* Extract the UUID sequence to search for */
   p_req = sdpu_extract_uid_seq(p_req, param_len, &uid_seq);
 
-  if ((!p_req) || (!uid_seq.num_uids)) {
+  if ((!p_req) || (!uid_seq.num_uids) ||
+      (p_req + sizeof(uint16_t) > p_req_end)) {
     sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX,
                             SDP_TEXT_BAD_UUID_LIST);
     return;
@@ -551,7 +569,8 @@
 
   p_req = sdpu_extract_attr_seq(p_req, param_len, &attr_seq);
 
-  if ((!p_req) || (!attr_seq.num_attr)) {
+  if ((!p_req) || (!attr_seq.num_attr) ||
+      (p_req + sizeof(uint8_t) > p_req_end)) {
     sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX,
                             SDP_TEXT_BAD_ATTR_LIST);
     return;
@@ -571,7 +590,8 @@
 
   /* Check if this is a continuation request */
   if (*p_req) {
-    if (*p_req++ != SDP_CONTINUATION_LEN) {
+    if (*p_req++ != SDP_CONTINUATION_LEN ||
+        (p_req + sizeof(uint16_t) > p_req_end)) {
       sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE,
                               SDP_TEXT_BAD_CONT_LEN);
       return;

diff --git a/stack/sdp/sdp_utils.cc b/stack/sdp/sdp_utils.cc
index 803e963..e6589d4 100644
--- a/stack/sdp/sdp_utils.cc
+++ b/stack/sdp/sdp_utils.cc

@@ -332,6 +332,8 @@
   p_seq->num_uids = 0;
 
   /* A UID sequence is composed of a bunch of UIDs. */
+  if (sizeof(descr) > param_len) return (NULL);
+  param_len -= sizeof(descr);
 
   BE_STREAM_TO_UINT8(descr, p);
   type = descr >> 3;
@@ -350,19 +352,25 @@
       seq_len = 16;
       break;
     case SIZE_IN_NEXT_BYTE:
+      if (sizeof(uint8_t) > param_len) return (NULL);
+      param_len -= sizeof(uint8_t);
       BE_STREAM_TO_UINT8(seq_len, p);
       break;
     case SIZE_IN_NEXT_WORD:
+      if (sizeof(uint16_t) > param_len) return (NULL);
+      param_len -= sizeof(uint16_t);
       BE_STREAM_TO_UINT16(seq_len, p);
       break;
     case SIZE_IN_NEXT_LONG:
+      if (sizeof(uint32_t) > param_len) return (NULL);
+      param_len -= sizeof(uint32_t);
       BE_STREAM_TO_UINT32(seq_len, p);
       break;
     default:
       return (NULL);
   }
 
-  if (seq_len >= param_len) return (NULL);
+  if (seq_len > param_len) return (NULL);
 
   p_seq_end = p + seq_len;
 
@@ -385,12 +393,15 @@
         uuid_len = 16;
         break;
       case SIZE_IN_NEXT_BYTE:
+        if (p + sizeof(uint8_t) > p_seq_end) return NULL;
         BE_STREAM_TO_UINT8(uuid_len, p);
         break;
       case SIZE_IN_NEXT_WORD:
+        if (p + sizeof(uint16_t) > p_seq_end) return NULL;
         BE_STREAM_TO_UINT16(uuid_len, p);
         break;
       case SIZE_IN_NEXT_LONG:
+        if (p + sizeof(uint32_t) > p_seq_end) return NULL;
         BE_STREAM_TO_UINT32(uuid_len, p);
         break;
       default:
@@ -398,7 +409,8 @@
     }
 
     /* If UUID length is valid, copy it across */
-    if ((uuid_len == 2) || (uuid_len == 4) || (uuid_len == 16)) {
+    if (((uuid_len == 2) || (uuid_len == 4) || (uuid_len == 16)) &&
+        (p + uuid_len <= p_seq_end)) {
       p_seq->uuid_entry[p_seq->num_uids].len = (uint16_t)uuid_len;
       BE_STREAM_TO_ARRAY(p, p_seq->uuid_entry[p_seq->num_uids].value,
                          (int)uuid_len);
@@ -435,30 +447,38 @@
   p_seq->num_attr = 0;
 
   /* Get attribute sequence info */
+  if (param_len < sizeof(descr)) return NULL;
+  param_len -= sizeof(descr);
   BE_STREAM_TO_UINT8(descr, p);
   type = descr >> 3;
   size = descr & 7;
 
-  if (type != DATA_ELE_SEQ_DESC_TYPE) return (p);
+  if (type != DATA_ELE_SEQ_DESC_TYPE) return NULL;
 
   switch (size) {
     case SIZE_IN_NEXT_BYTE:
+      if (param_len < sizeof(uint8_t)) return NULL;
+      param_len -= sizeof(uint8_t);
       BE_STREAM_TO_UINT8(list_len, p);
       break;
 
     case SIZE_IN_NEXT_WORD:
+      if (param_len < sizeof(uint16_t)) return NULL;
+      param_len -= sizeof(uint16_t);
       BE_STREAM_TO_UINT16(list_len, p);
       break;
 
     case SIZE_IN_NEXT_LONG:
+      if (param_len < sizeof(uint32_t)) return NULL;
+      param_len -= sizeof(uint32_t);
       BE_STREAM_TO_UINT32(list_len, p);
       break;
 
     default:
-      return (p);
+      return NULL;
   }
 
-  if (list_len > param_len) return (p);
+  if (list_len > param_len) return NULL;
 
   p_end_list = p + list_len;
 
@@ -468,7 +488,7 @@
     type = descr >> 3;
     size = descr & 7;
 
-    if (type != UINT_DESC_TYPE) return (p);
+    if (type != UINT_DESC_TYPE) return NULL;
 
     switch (size) {
       case SIZE_TWO_BYTES:
@@ -478,20 +498,24 @@
         attr_len = 4;
         break;
       case SIZE_IN_NEXT_BYTE:
+        if (p + sizeof(uint8_t) > p_end_list) return NULL;
         BE_STREAM_TO_UINT8(attr_len, p);
         break;
       case SIZE_IN_NEXT_WORD:
+        if (p + sizeof(uint16_t) > p_end_list) return NULL;
         BE_STREAM_TO_UINT16(attr_len, p);
         break;
       case SIZE_IN_NEXT_LONG:
+        if (p + sizeof(uint32_t) > p_end_list) return NULL;
         BE_STREAM_TO_UINT32(attr_len, p);
         break;
       default:
-        return (NULL);
+        return NULL;
         break;
     }
 
     /* Attribute length must be 2-bytes or 4-bytes for a paired entry. */
+    if (p + attr_len > p_end_list) return NULL;
     if (attr_len == 2) {
       BE_STREAM_TO_UINT16(p_seq->attr_entry[p_seq->num_attr].start, p);
       p_seq->attr_entry[p_seq->num_attr].end =
commit	c851de169dfb9df6c8d37324b7af5ffde4456aeb	[log] [tgz]
author	android-build-team Robot <android-build-team-robot@google.com>	Mon Feb 26 23:53:31 2018 +0000
committer	android-build-team Robot <android-build-team-robot@google.com>	Mon Feb 26 23:53:31 2018 +0000
tree	0a9b2cb6ae5da5a626d273eb5e7d957df1a4b468
parent	044d7d2b7f08261548dee0d974e546f1dd441731 [diff]
parent	eb8771e52f9ea39a9b1144a270d351c644f19850 [diff]