Add bounds checks in btif_avrcp_audio_track.cc

Fuzz testing reveals that the transcodeQ*ToFloat family of functions are not bounds checked, causing a potential OOB write. Check these functions against bounds of the destination array. Bug: 275895309 Test: atest bluetooth_test_gd_unit, net_test_stack_btm Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:46803ae95d63ee133eae83d885e7c051964dc8ed) Merged-In: I7a13261429797769cf5b913912a30e249668ac93 Change-Id: I7a13261429797769cf5b913912a30e249668ac93
author: Brian Delwiche <delwiche@google.com> 2023-05-19 21:46:53 +0000
committer: Julian Veit <claymore1298@gmail.com> 2023-12-06 13:30:22 +0100
commit: a4246fabc2320f15fe2b91f51e4a08272040f1a6 (patch)
tree: f95773be055ae5f18d6e9d98f9a4cccf4ac89d59
parent: 40dcf0dcda721240410059fa4fac5881f466d66f (diff)
1 files changed, 5 insertions, 3 deletions
diff --git a/system/btif/src/btif_avrcp_audio_track.cc b/system/btif/src/btif_avrcp_audio_track.cc
index 8ca5c97985..e17f80f5f7 100644
--- a/system/btif/src/btif_avrcp_audio_track.cc
+++ b/system/btif/src/btif_avrcp_audio_track.cc
@@ -23,6 +23,8 @@
 #include <base/logging.h>
 #include <utils/StrongPointer.h>
 
+#include <algorithm>
+
 #include "bt_target.h"
 #include "osi/include/log.h"
 
@@ -152,7 +154,7 @@ static size_t transcodeQ15ToFloat(uint8_t* buffer, size_t length,
                                   BtifAvrcpAudioTrack* trackHolder) {
   size_t sampleSize = sampleSizeFor(trackHolder);
   size_t i = 0;
-  for (; i <= length / sampleSize; i++) {
+  for (; i < std::min(trackHolder->bufferLength, length / sampleSize); i++) {
     trackHolder->buffer[i] = ((int16_t*)buffer)[i] * kScaleQ15ToFloat;
   }
   return i * sampleSize;
@@ -162,7 +164,7 @@ static size_t transcodeQ23ToFloat(uint8_t* buffer, size_t length,
                                   BtifAvrcpAudioTrack* trackHolder) {
   size_t sampleSize = sampleSizeFor(trackHolder);
   size_t i = 0;
-  for (; i <= length / sampleSize; i++) {
+  for (; i < std::min(trackHolder->bufferLength, length / sampleSize); i++) {
     size_t offset = i * sampleSize;
     int32_t sample = *((int32_t*)(buffer + offset - 1)) & 0x00FFFFFF;
     trackHolder->buffer[i] = sample * kScaleQ23ToFloat;
@@ -174,7 +176,7 @@ static size_t transcodeQ31ToFloat(uint8_t* buffer, size_t length,
                                   BtifAvrcpAudioTrack* trackHolder) {
   size_t sampleSize = sampleSizeFor(trackHolder);
   size_t i = 0;
-  for (; i <= length / sampleSize; i++) {
+  for (; i < std::min(trackHolder->bufferLength, length / sampleSize); i++) {
     trackHolder->buffer[i] = ((int32_t*)buffer)[i] * kScaleQ31ToFloat;
   }
   return i * sampleSize;
author	Brian Delwiche <delwiche@google.com>	2023-05-19 21:46:53 +0000
committer	Julian Veit <claymore1298@gmail.com>	2023-12-06 13:30:22 +0100
commit	a4246fabc2320f15fe2b91f51e4a08272040f1a6 (patch)
tree	f95773be055ae5f18d6e9d98f9a4cccf4ac89d59
parent	40dcf0dcda721240410059fa4fac5881f466d66f (diff)