diff options
| author | Sumit Bajpai <quic_sbajpai@quicinc.com> | 2023-03-24 19:49:33 +0530 |
|---|---|---|
| committer | Sumit Bajpai <quic_sbajpai@quicinc.com> | 2023-03-24 19:49:33 +0530 |
| commit | 52d154e65d14014165755d34606e1f5eacb47f60 (patch) | |
| tree | f9d1c4c1f1b98c032eccbba1bab137caa4898b95 | |
| parent | f63676f7b944f826ae8ffbf887ed7f61154aeb01 (diff) | |
A2DP: Check offset for audio data buffer.
If the length of the packet is less than 4 its
OOB access.
CRs-Fixed: 3445336
Change-Id: I5f6109d9d470031943d21b5602a8110346708295
| -rw-r--r-- | btif/co/bta_av_co.cc | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/btif/co/bta_av_co.cc b/btif/co/bta_av_co.cc index 5ec759c37..cd978784a 100644 --- a/btif/co/bta_av_co.cc +++ b/btif/co/bta_av_co.cc @@ -991,6 +991,11 @@ void* bta_av_co_audio_src_data_path(const uint8_t* p_codec_info, return NULL; } + if (p_buf->offset < 4) { + APPL_TRACE_ERROR("%s: No space for timestamp in packet, dropped", __func__); + return NULL; + } + /* * Retrieve the timestamp information from the media packet, * and set up the packet header. @@ -1004,6 +1009,7 @@ void* bta_av_co_audio_src_data_path(const uint8_t* p_codec_info, !A2DP_BuildCodecHeader(p_codec_info, p_buf, p_buf->layer_specific)) { APPL_TRACE_ERROR("%s: unsupported codec type (%d)", __func__, A2DP_GetCodecType(p_codec_info)); + return NULL; } #if (BTA_AV_CO_CP_SCMS_T == TRUE) |