Google Git
Sign in
android / platform / system / bt / refs/tags/android-mainline-12.0.0_r104^1..refs/tags/android-mainline-12.0.0_r104 / .
commit1958769e8d516dbc2ba45f82e093718932aadc60[log] [tgz]
authorAndroid Build Coastguard Worker <android-build-coastguard-worker@google.com>Sat Feb 12 13:06:44 2022 +0000
committerAndroid Build Coastguard Worker <android-build-coastguard-worker@google.com>Sat Feb 12 13:06:44 2022 +0000
tree5f513e5ffb0abef3c4c4341e0fb454914627ace4
parentc80383a58ab9ccbfc4dbe47a5b054acd7bdabf26 [diff]
parent09f3e013ae9aacb8a7c09b19646aa85160410b02 [diff]
Snap for 8178294 from 09f3e013ae9aacb8a7c09b19646aa85160410b02 to mainline-media-release

Change-Id: I28c4295d02d8a4f1bd30f56c9530d880cc39ff2f

diff --git a/apex/Android.bp b/apex/Android.bp
index c206dca..676623a 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp

@@ -35,3 +35,12 @@
     name: "com.android.bluetooth.updatable.certificate",
     certificate: "com.android.bluetooth.updatable",
 }
+
+// Empty, disabled APEX to allow other libraries to specify "apex_available"
+// in all branches without merge conflicts.
+apex {
+    name: "com.android.bluetooth",
+    enabled: false,
+    key: "com.android.bluetooth.updatable.key",
+    certificate: ":com.android.bluetooth.updatable.certificate",
+}

diff --git a/stack/avrc/avrc_pars_ct.cc b/stack/avrc/avrc_pars_ct.cc
index 2141bf17..0555af0 100644
--- a/stack/avrc/avrc_pars_ct.cc
+++ b/stack/avrc/avrc_pars_ct.cc

@@ -581,6 +581,10 @@
                        p_result->get_caps.capability_id,
                        p_result->get_caps.count);
       if (p_result->get_caps.capability_id == AVRC_CAP_COMPANY_ID) {
+        if (p_result->get_caps.count > AVRC_CAP_MAX_NUM_COMP_ID) {
+          android_errorWriteLog(0x534e4554, "205837191");
+          return AVRC_STS_INTERNAL_ERR;
+        }
         min_len += MIN(p_result->get_caps.count, AVRC_CAP_MAX_NUM_COMP_ID) * 3;
         if (len < min_len) goto length_error;
         for (int xx = 0; ((xx < p_result->get_caps.count) &&
@@ -590,6 +594,10 @@
         }
       } else if (p_result->get_caps.capability_id ==
                  AVRC_CAP_EVENTS_SUPPORTED) {
+        if (p_result->get_caps.count > AVRC_CAP_MAX_NUM_EVT_ID) {
+          android_errorWriteLog(0x534e4554, "205837191");
+          return AVRC_STS_INTERNAL_ERR;
+        }
         min_len += MIN(p_result->get_caps.count, AVRC_CAP_MAX_NUM_EVT_ID);
         if (len < min_len) goto length_error;
         for (int xx = 0; ((xx < p_result->get_caps.count) &&

diff --git a/stack/l2cap/l2c_ble.cc b/stack/l2cap/l2c_ble.cc
index b826dc1..16454a5 100644
--- a/stack/l2cap/l2c_ble.cc
+++ b/stack/l2cap/l2c_ble.cc

@@ -811,6 +811,11 @@
 
     case L2CAP_CMD_CREDIT_BASED_RECONFIG_RES: {
       uint16_t result;
+      if (p + sizeof(uint16_t) > p_pkt_end) {
+        android_errorWriteLog(0x534e4554, "212694559");
+        LOG(ERROR) << "invalid read";
+        return;
+      }
       STREAM_TO_UINT16(result, p);
 
       L2CAP_TRACE_DEBUG(