Fix an OOB Write bug in avrc_vendor_msgHEAD t13.0

Plus some cleanup Bug: 271962784 Test: manual Ignore-AOSP-First: security Tag: #security (cherry picked from commit d5de235b461ec83e43a7db513e286d3204c4cedf) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7f685c51b0bc63369107efe59b12162bbb145a4d) Merged-In: Ice5ad780ac0b177c73d84ed37960b4540df1ec86 Change-Id: Ice5ad780ac0b177c73d84ed37960b4540df1ec86
author: Hui Peng <phui@google.com> 2023-05-16 02:30:39 +0000
committer: aoleary <seanm187@gmail.com> 2025-10-07 19:02:21 +0000
commit: 091500ea358adca2b97abf20a635cf0dc27bd015 (patch)
tree: a1bfbf6ab652ad9cad0046690376f0f9c9cf5ecc /system/stack
parent: edecf1f7bf61a67722621145a8bdb62b66fb6776 (diff)
1 files changed, 13 insertions, 2 deletions
diff --git a/system/stack/avrc/avrc_opt.cc b/system/stack/avrc/avrc_opt.cc
index a611e3f5a7..87c685c2c4 100644
--- a/system/stack/avrc/avrc_opt.cc
+++ b/system/stack/avrc/avrc_opt.cc
@@ -49,9 +49,20 @@ static BT_HDR* avrc_vendor_msg(tAVRC_MSG_VENDOR* p_msg) {
   BT_HDR* p_cmd;
   uint8_t* p_data;
 
-  CHECK(p_msg != NULL);
+  /*
+    An AVRC cmd consists of at least of:
+    - A BT_HDR, plus
+    - AVCT_MSG_OFFSET, plus
+    - 3 bytes for ctype, subunit_type and op_vendor, plus
+    - 3 bytes for company_id
+  */
+  #define AVRC_MIN_VENDOR_CMD_LEN (sizeof(BT_HDR) + AVCT_MSG_OFFSET + 3 + 3)
+
+  if (p_msg == nullptr ||
+      AVRC_META_CMD_BUF_SIZE < AVRC_MIN_VENDOR_CMD_LEN + p_msg->vendor_len) {
+    return nullptr;
+  }
 
-  CHECK(AVRC_META_CMD_BUF_SIZE > (AVRC_MIN_CMD_LEN + p_msg->vendor_len));
   p_cmd = (BT_HDR*)osi_calloc(AVRC_META_CMD_BUF_SIZE);
 
   p_cmd->offset = AVCT_MSG_OFFSET;
author	Hui Peng <phui@google.com>	2023-05-16 02:30:39 +0000
committer	aoleary <seanm187@gmail.com>	2025-10-07 19:02:21 +0000
commit	091500ea358adca2b97abf20a635cf0dc27bd015 (patch)
tree	a1bfbf6ab652ad9cad0046690376f0f9c9cf5ecc /system/stack
parent	edecf1f7bf61a67722621145a8bdb62b66fb6776 (diff)