AVDTP: Fix a potential overflow about the media payload offset This variable is uint16, and is possible to overflow when the length of header extension is larger. Here we compare with the data length to prevent any exceptions. Change-Id: If55d77132e893d6856c9f4ccc42d24a6e7cafe29 CRs-Fixed: 3237187 Issue: FP3SEC-679 (cherry picked from commit c7b27bd4a4a6440c52174f0724acdf5e049793e3)

commit: 2a7ab5cf369bac1c89a8f7e3db0fdfb1acf88fbb [log] [tgz]
author: Mayank Madhukar <quic_mmadhuka@quicinc.com> Wed Jul 27 18:04:03 2022 +0530
committer: Karsten Tausche <karsten@fairphone.com> Wed Nov 09 15:17:53 2022 +0100
tree: 386f98c361c57373f0a946d7b955b690adffb7a9
parent: 08ab03fda3f641d67e0b465fc7523811b7758261 [diff]
diff --git a/stack/avdt/avdt_scb_act.cc b/stack/avdt/avdt_scb_act.cc
index 31745bb..ff9ade2 100644
--- a/stack/avdt/avdt_scb_act.cc
+++ b/stack/avdt/avdt_scb_act.cc

@@ -255,19 +255,24 @@
     if (offset > len) goto length_error;
     p += 2;
     BE_STREAM_TO_UINT16(ex_len, p);
-    offset += ex_len * 4;
     p += ex_len * 4;
   }
 
+  if ((p - p_start) > len) {
+    android_errorWriteLog(0x534e4554, "142546355");
+    osi_free_and_reset((void**)&p_data->p_pkt);
+    return;
+  }
+  offset = p - p_start;
+
   /* adjust length for any padding at end of packet */
   if (o_p) {
     /* padding length in last byte of packet */
-    pad_len = *(p_start + p_data->p_pkt->len);
+    pad_len = *(p_start + len);
   }
 
   /* do sanity check */
-  if ((offset > p_data->p_pkt->len) ||
-      ((pad_len + offset) > p_data->p_pkt->len)) {
+  if (pad_len > (len - offset)) {
     AVDT_TRACE_WARNING("Got bad media packet");
     osi_free_and_reset((void**)&p_data->p_pkt);
   }
commit	2a7ab5cf369bac1c89a8f7e3db0fdfb1acf88fbb	[log] [tgz]
author	Mayank Madhukar <quic_mmadhuka@quicinc.com>	Wed Jul 27 18:04:03 2022 +0530
committer	Karsten Tausche <karsten@fairphone.com>	Wed Nov 09 15:17:53 2022 +0100
tree	386f98c361c57373f0a946d7b955b690adffb7a9
parent	08ab03fda3f641d67e0b465fc7523811b7758261 [diff]