Snap for 8278022 from c465e9fe20d773da28a9805e9f0ac4ad57b29bdf to mainline-tethering-release
Change-Id: I181cc438e49001e60972aa530cee03898e86a5d8
diff --git a/Android.bp b/Android.bp
index b069650..81162c4 100644
--- a/Android.bp
+++ b/Android.bp
@@ -78,3 +78,9 @@
srcs: [":framework-bluetooth-srcs"],
sdk_version: "module_current"
}
+
+java_library {
+ name: "framework-bluetooth.stubs.module_lib",
+ srcs: [":framework-bluetooth-srcs"],
+ sdk_version: "module_current"
+}
diff --git a/stack/avrc/avrc_pars_ct.cc b/stack/avrc/avrc_pars_ct.cc
index 2141bf17..0555af0 100644
--- a/stack/avrc/avrc_pars_ct.cc
+++ b/stack/avrc/avrc_pars_ct.cc
@@ -581,6 +581,10 @@
p_result->get_caps.capability_id,
p_result->get_caps.count);
if (p_result->get_caps.capability_id == AVRC_CAP_COMPANY_ID) {
+ if (p_result->get_caps.count > AVRC_CAP_MAX_NUM_COMP_ID) {
+ android_errorWriteLog(0x534e4554, "205837191");
+ return AVRC_STS_INTERNAL_ERR;
+ }
min_len += MIN(p_result->get_caps.count, AVRC_CAP_MAX_NUM_COMP_ID) * 3;
if (len < min_len) goto length_error;
for (int xx = 0; ((xx < p_result->get_caps.count) &&
@@ -590,6 +594,10 @@
}
} else if (p_result->get_caps.capability_id ==
AVRC_CAP_EVENTS_SUPPORTED) {
+ if (p_result->get_caps.count > AVRC_CAP_MAX_NUM_EVT_ID) {
+ android_errorWriteLog(0x534e4554, "205837191");
+ return AVRC_STS_INTERNAL_ERR;
+ }
min_len += MIN(p_result->get_caps.count, AVRC_CAP_MAX_NUM_EVT_ID);
if (len < min_len) goto length_error;
for (int xx = 0; ((xx < p_result->get_caps.count) &&
diff --git a/stack/l2cap/l2c_ble.cc b/stack/l2cap/l2c_ble.cc
index 16454a5..d548679 100644
--- a/stack/l2cap/l2c_ble.cc
+++ b/stack/l2cap/l2c_ble.cc
@@ -621,7 +621,7 @@
break;
}
case L2CAP_CMD_CREDIT_BASED_CONN_RES:
- if (p + 2 > p_pkt_end) {
+ if (p + 8 > p_pkt_end) {
LOG(ERROR) << "invalid L2CAP_CMD_CREDIT_BASED_CONN_RES len";
return;
}
