Merge cherrypicks of ['ag/20614047', 'ag/20069005', 'ag/20834832', 'ag/20857269', 'ag/20874088', 'ag/20857271'] into rvc-platform-release.
Change-Id: I8ae06d4953078f7b28fbc2f0b55c9ea859e67f27
diff --git a/bta/av/bta_av_act.cc b/bta/av/bta_av_act.cc
index 827cdbb..533b15d 100644
--- a/bta/av/bta_av_act.cc
+++ b/bta/av/bta_av_act.cc
@@ -1973,8 +1973,23 @@
if (p_lcb) {
rc_handle = bta_av_rc_create(p_cb, AVCT_INT,
(uint8_t)(p_scb->hdi + 1), p_lcb->lidx);
- p_cb->rcb[rc_handle].peer_features = peer_features;
- p_cb->rcb[rc_handle].cover_art_psm = cover_art_psm;
+ if (rc_handle < BTA_AV_NUM_RCB) {
+ p_cb->rcb[rc_handle].peer_features = peer_features;
+ p_cb->rcb[rc_handle].cover_art_psm = cover_art_psm;
+ } else {
+ /* cannot create valid rc_handle for current device. report failure
+ */
+ APPL_TRACE_ERROR("%s: no link resources available", __func__);
+ p_scb->use_rc = false;
+ tBTA_AV_RC_OPEN rc_open;
+ rc_open.peer_addr = p_scb->PeerAddress();
+ rc_open.peer_features = 0;
+ rc_open.cover_art_psm = 0;
+ rc_open.status = BTA_AV_FAIL_RESOURCES;
+ tBTA_AV bta_av_data;
+ bta_av_data.rc_open = rc_open;
+ (*p_cb->p_cback)(BTA_AV_RC_OPEN_EVT, &bta_av_data);
+ }
} else {
APPL_TRACE_ERROR("%s: can not find LCB!!", __func__);
}
diff --git a/btif/co/bta_hh_co.cc b/btif/co/bta_hh_co.cc
index cec3f69..96738ee 100644
--- a/btif/co/bta_hh_co.cc
+++ b/btif/co/bta_hh_co.cc
@@ -600,15 +600,16 @@
ev.type = UHID_FEATURE_ANSWER;
ev.u.feature_answer.id = *get_rpt_id;
ev.u.feature_answer.err = status;
- ev.u.feature_answer.size = len;
+ ev.u.feature_answer.size = len - GET_RPT_RSP_OFFSET;
osi_free(get_rpt_id);
- if (len > 0) {
- if (len > UHID_DATA_MAX) {
+ if (len > GET_RPT_RSP_OFFSET) {
+ if (len - GET_RPT_RSP_OFFSET > UHID_DATA_MAX) {
APPL_TRACE_WARNING("%s: Report size greater than allowed size",
__func__);
return;
}
- memcpy(ev.u.feature_answer.data, p_rpt + GET_RPT_RSP_OFFSET, len);
+ memcpy(ev.u.feature_answer.data, p_rpt + GET_RPT_RSP_OFFSET,
+ len - GET_RPT_RSP_OFFSET);
uhid_write(p_dev->fd, &ev);
}
}
diff --git a/stack/a2dp/a2dp_sbc.cc b/stack/a2dp/a2dp_sbc.cc
index 388419b..d44cf12 100644
--- a/stack/a2dp/a2dp_sbc.cc
+++ b/stack/a2dp/a2dp_sbc.cc
@@ -708,6 +708,11 @@
BT_HDR* p_buf, uint16_t frames_per_packet) {
uint8_t* p;
+ // there is a timestamp right following p_buf
+ if (p_buf->offset < 4 + A2DP_SBC_MPL_HDR_LEN) {
+ return false;
+ }
+
p_buf->offset -= A2DP_SBC_MPL_HDR_LEN;
p = (uint8_t*)(p_buf + 1) + p_buf->offset;
p_buf->len += A2DP_SBC_MPL_HDR_LEN;
diff --git a/stack/avdt/avdt_scb_act.cc b/stack/avdt/avdt_scb_act.cc
index 31745bb..ce53c45 100644
--- a/stack/avdt/avdt_scb_act.cc
+++ b/stack/avdt/avdt_scb_act.cc
@@ -977,6 +977,11 @@
/* Build a media packet, and add an RTP header if required. */
if (add_rtp_header) {
+ if (p_data->apiwrite.p_buf->offset < AVDT_MEDIA_HDR_SIZE) {
+ android_errorWriteWithInfoLog(0x534e4554, "242535997", -1, NULL, 0);
+ return;
+ }
+
ssrc = avdt_scb_gen_ssrc(p_scb);
p_data->apiwrite.p_buf->len += AVDT_MEDIA_HDR_SIZE;
diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc
index 842cb6c..ff1e5af 100644
--- a/stack/gatt/gatt_cl.cc
+++ b/stack/gatt/gatt_cl.cc
@@ -572,7 +572,8 @@
LOG(ERROR) << StringPrintf("value resp op_code = %s len = %d",
gatt_dbg_op_name(op_code), len);
- if (len < GATT_PREP_WRITE_RSP_MIN_LEN) {
+ if (len < GATT_PREP_WRITE_RSP_MIN_LEN ||
+ len > GATT_PREP_WRITE_RSP_MIN_LEN + sizeof(value.value)) {
LOG(ERROR) << "illegal prepare write response length, discard";
gatt_end_operation(p_clcb, GATT_INVALID_PDU, &value);
return;
@@ -581,7 +582,7 @@
STREAM_TO_UINT16(value.handle, p);
STREAM_TO_UINT16(value.offset, p);
- value.len = len - 4;
+ value.len = len - GATT_PREP_WRITE_RSP_MIN_LEN;
memcpy(value.value, p, value.len);
diff --git a/stack/sdp/sdp_db.cc b/stack/sdp/sdp_db.cc
index 2cc04b0..dd06230 100644
--- a/stack/sdp/sdp_db.cc
+++ b/stack/sdp/sdp_db.cc
@@ -357,6 +357,11 @@
uint16_t xx, yy, zz;
tSDP_RECORD* p_rec = &sdp_cb.server_db.record[0];
+ if (p_val == nullptr) {
+ SDP_TRACE_WARNING("Trying to add attribute with p_val == nullptr, skipped");
+ return (false);
+ }
+
if (sdp_cb.trace_level >= BT_TRACE_LEVEL_DEBUG) {
if ((attr_type == UINT_DESC_TYPE) ||
(attr_type == TWO_COMP_INT_DESC_TYPE) ||
@@ -393,6 +398,13 @@
if (p_rec->record_handle == handle) {
tSDP_ATTRIBUTE* p_attr = &p_rec->attribute[0];
+ // error out early, no need to look up
+ if (p_rec->free_pad_ptr >= SDP_MAX_PAD_LEN) {
+ SDP_TRACE_ERROR("the free pad for SDP record with handle %d is "
+ "full, skip adding the attribute", handle);
+ return (false);
+ }
+
/* Found the record. Now, see if the attribute already exists */
for (xx = 0; xx < p_rec->num_attributes; xx++, p_attr++) {
/* The attribute exists. replace it */
@@ -432,15 +444,13 @@
attr_len = 0;
}
- if ((attr_len > 0) && (p_val != 0)) {
+ if (attr_len > 0) {
p_attr->len = attr_len;
memcpy(&p_rec->attr_pad[p_rec->free_pad_ptr], p_val, (size_t)attr_len);
p_attr->value_ptr = &p_rec->attr_pad[p_rec->free_pad_ptr];
p_rec->free_pad_ptr += attr_len;
- } else if ((attr_len == 0 &&
- p_attr->len !=
- 0) || /* if truncate to 0 length, simply don't add */
- p_val == 0) {
+ } else if (attr_len == 0 && p_attr->len != 0) {
+ /* if truncate to 0 length, simply don't add */
SDP_TRACE_ERROR(
"SDP_AddAttribute fail, length exceed maximum: ID %d: attr_len:%d ",
attr_id, attr_len);
