Merge remote-tracking branch 'origin/LA.QSSI.11.0.R1.11.00.00.668.170.00' into fp4t-target-0414
diff --git a/bta/hf_client/bta_hf_client_at.cc b/bta/hf_client/bta_hf_client_at.cc
index 6e4fe26..725d6ed 100644
--- a/bta/hf_client/bta_hf_client_at.cc
+++ b/bta/hf_client/bta_hf_client_at.cc
@@ -332,6 +332,10 @@
APPL_TRACE_DEBUG("%s: %lu.%s <%lu:%lu>", __func__, index, name, min, max);
+ if (index >= BTA_HF_CLIENT_AT_INDICATOR_COUNT) {
+ return;
+ }
+
/* look for a matching indicator on list of supported ones */
for (i = 0; i < BTA_HF_CLIENT_AT_SUPPORTED_INDICATOR_COUNT; i++) {
if (strcmp(name, BTA_HF_CLIENT_INDICATOR_SERVICE) == 0) {
@@ -793,9 +797,9 @@
} while (0)
/* skip rest of AT string up to <cr> */
-#define AT_SKIP_REST(buf) \
- do { \
- while (*(buf) != '\r') (buf)++; \
+#define AT_SKIP_REST(buf) \
+ do { \
+ while (*(buf) != '\r' && *(buf) != '\0') (buf)++; \
} while (0)
static char* bta_hf_client_parse_ok(tBTA_HF_CLIENT_CB* client_cb,
diff --git a/btif/src/btif_dm.cc b/btif/src/btif_dm.cc
index 48d3290..f865b4b 100644
--- a/btif/src/btif_dm.cc
+++ b/btif/src/btif_dm.cc
@@ -1182,16 +1182,13 @@
break;
case HCI_ERR_PAIRING_NOT_ALLOWED:
- is_bonded_device_removed =
- (btif_storage_remove_bonded_device(&bd_addr) == BT_STATUS_SUCCESS);
status = BT_STATUS_AUTH_REJECTED;
break;
/* map the auth failure codes, so we can retry pairing if necessary */
case HCI_ERR_AUTH_FAILURE:
case HCI_ERR_KEY_MISSING:
- is_bonded_device_removed =
- (btif_storage_remove_bonded_device(&bd_addr) == BT_STATUS_SUCCESS);
+ is_bonded_device_removed = false;
[[fallthrough]];
case HCI_ERR_HOST_REJECT_SECURITY:
case HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE:
@@ -1222,8 +1219,6 @@
/* Remove Device as bonded in nvram as authentication failed */
BTIF_TRACE_DEBUG("%s(): removing hid pointing device from nvram",
__func__);
- is_bonded_device_removed =
- (btif_storage_remove_bonded_device(&bd_addr) == BT_STATUS_SUCCESS);
}
// Report bond state change to java only if we are bonding to a device or
// a device is removed from the pairing list.
diff --git a/stack/avrc/avrc_pars_tg.cc b/stack/avrc/avrc_pars_tg.cc
index 190a88d..5bae32e 100644
--- a/stack/avrc/avrc_pars_tg.cc
+++ b/stack/avrc/avrc_pars_tg.cc
@@ -43,6 +43,12 @@
tAVRC_COMMAND* p_result) {
tAVRC_STS status = AVRC_STS_NO_ERROR;
+ if (p_msg->vendor_len < 4) { // 4 == pdu + reserved byte + len as uint16
+ AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 4",
+ __func__, p_msg->vendor_len);
+ android_errorWriteLog(0x534e4554, "205571133");
+ return AVRC_STS_INTERNAL_ERR;
+ }
uint8_t* p = p_msg->p_vendor_data;
p_result->pdu = *p++;
AVRC_TRACE_DEBUG("%s pdu:0x%x", __func__, p_result->pdu);