Merge branch 'dev/10/fp2/security-aosp-qt-release' into int/10/fp2
* dev/10/fp2/security-aosp-qt-release:
Add bounds check in avdt_scb_act.cc
Report failure when not able to connect to AVRCP
Change-Id: I68947ef352336d393f9da715ac0525271431376a
diff --git a/bta/av/bta_av_act.cc b/bta/av/bta_av_act.cc
index a727842..8809abe 100644
--- a/bta/av/bta_av_act.cc
+++ b/bta/av/bta_av_act.cc
@@ -1848,7 +1848,21 @@
if (p_lcb) {
rc_handle = bta_av_rc_create(p_cb, AVCT_INT,
(uint8_t)(p_scb->hdi + 1), p_lcb->lidx);
- p_cb->rcb[rc_handle].peer_features = peer_features;
+ if (rc_handle < BTA_AV_NUM_RCB) {
+ p_cb->rcb[rc_handle].peer_features = peer_features;
+ } else {
+ /* cannot create valid rc_handle for current device. report failure
+ */
+ APPL_TRACE_ERROR("%s: no link resources available", __func__);
+ p_scb->use_rc = false;
+ tBTA_AV_RC_OPEN rc_open;
+ rc_open.peer_addr = p_scb->PeerAddress();
+ rc_open.peer_features = 0;
+ rc_open.status = BTA_AV_FAIL_RESOURCES;
+ tBTA_AV bta_av_data;
+ bta_av_data.rc_open = rc_open;
+ (*p_cb->p_cback)(BTA_AV_RC_OPEN_EVT, &bta_av_data);
+ }
} else {
APPL_TRACE_ERROR("%s: can not find LCB!!", __func__);
}
diff --git a/stack/avdt/avdt_scb_act.cc b/stack/avdt/avdt_scb_act.cc
index 31745bb..ce53c45 100644
--- a/stack/avdt/avdt_scb_act.cc
+++ b/stack/avdt/avdt_scb_act.cc
@@ -977,6 +977,11 @@
/* Build a media packet, and add an RTP header if required. */
if (add_rtp_header) {
+ if (p_data->apiwrite.p_buf->offset < AVDT_MEDIA_HDR_SIZE) {
+ android_errorWriteWithInfoLog(0x534e4554, "242535997", -1, NULL, 0);
+ return;
+ }
+
ssrc = avdt_scb_gen_ssrc(p_scb);
p_data->apiwrite.p_buf->len += AVDT_MEDIA_HDR_SIZE;