Merge "Fix an OOB access issue in A2DP_BuildMediaPayloadHeaderSbc" into bt-sys.lnx.13.0

author: CNSS_WLAN Service <cnssbldsw@qualcomm.com> 2023-03-23 03:49:32 -0700
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2023-03-23 03:49:32 -0700
commit: f63676f7b944f826ae8ffbf887ed7f61154aeb01 (patch)
tree: 943c442dfa5f42aa0e7704d2defedccca358c973
parent: e19b6f66fe92b3e958141c14d00b2bab120aafa9 (diff)
parent: e6e6386302c505843dbbaf985c000e4028798899 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/stack/a2dp/a2dp_sbc.cc b/stack/a2dp/a2dp_sbc.cc
index 0b0af3555..8b61db886 100644
--- a/stack/a2dp/a2dp_sbc.cc
+++ b/stack/a2dp/a2dp_sbc.cc
@@ -918,6 +918,11 @@ bool A2DP_BuildCodecHeaderSbc(UNUSED_ATTR const uint8_t* p_codec_info,
     return false;
   }
 
+  // there is a timestamp right following p_buf
+  if (p_buf->offset < 4 + A2DP_SBC_MPL_HDR_LEN) {
+    return false;
+  }
+
   p_buf->offset -= A2DP_SBC_MPL_HDR_LEN;
   uint8_t* p = (uint8_t*)(p_buf + 1) + p_buf->offset;
   p_buf->len += A2DP_SBC_MPL_HDR_LEN;
author	CNSS_WLAN Service <cnssbldsw@qualcomm.com>	2023-03-23 03:49:32 -0700
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2023-03-23 03:49:32 -0700
commit	f63676f7b944f826ae8ffbf887ed7f61154aeb01 (patch)
tree	943c442dfa5f42aa0e7704d2defedccca358c973
parent	e19b6f66fe92b3e958141c14d00b2bab120aafa9 (diff)
parent	e6e6386302c505843dbbaf985c000e4028798899 (diff)