From 19dd59c8bc25473ffd22c25a0840854c684302f5 Mon Sep 17 00:00:00 2001
From: Milanka Ringwald <mila@ringwald.ch>
Date: Wed, 6 Nov 2024 14:49:30 +0100
Subject: [PATCH] avrcp_browsing_target: check input data length for SET
 BROWSED PLAYER command

---
 src/classic/avrcp_browsing_target.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/classic/avrcp_browsing_target.c b/src/classic/avrcp_browsing_target.c
index d46c180f1..079086965 100644
--- a/src/classic/avrcp_browsing_target.c
+++ b/src/classic/avrcp_browsing_target.c
@@ -185,10 +185,19 @@ static void avrcp_browsing_target_packet_handler(uint8_t packet_type, uint16_t c
                         }
                         case AVRCP_PDU_ID_SET_BROWSED_PLAYER:
                             // param length (2), player_id (2)
+                            if ( (pos + 2) > size ){
+                                avrcp_browsing_target_response_general_reject(browsing_connection, AVRCP_STATUS_INVALID_COMMAND);
+                                break;
+                            }
                             if (big_endian_read_16(packet, pos) != 2){
                                 avrcp_browsing_target_response_general_reject(browsing_connection, AVRCP_STATUS_INVALID_COMMAND);
                                 break;
                             }
+                            if ( (pos + 4) > size ){
+                                avrcp_browsing_target_response_general_reject(browsing_connection, AVRCP_STATUS_INVALID_PLAYER_ID);
+                                break;
+                            }
+
                             avrcp_browsing_target_emit_set_browsed_player(avrcp_target_context.browsing_avrcp_callback, channel, big_endian_read_16(packet, pos+2));
                             break;
                         default: