Fix OOB read in bta_av_setconfig_rej

The bta_av_config_ind function in bta_av_aact.cc makes a call in some
user journeys to bta_av_setconfig_rej, constructing its p_data argument
(a union datatype) as a tBTA_AV_CI_SETCONFIG.  This is a valid member of
the union, but bta_av_setconfig_rej makes the assumption that the
variable being passed has been set up as a tBTA_AV_STR_MSG, which is not
true in this case.  This causes OOB access.

Draw the required data instead from the stream control block, which
should not be subject to this confusion.

Bug: 260230151
Test: m libbluetooth
Test: manual
Ignore-AOSP-First: security
Tag: #security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1816d40959e366f5feaa50a8db673141022634e9)
Merged-In: If7fee75ff454ab925b9661c78980b7c093c29f0b
Change-Id: If7fee75ff454ab925b9661c78980b7c093c29f0b

0 files changed, 0 insertions, 0 deletions