mirror/btstack
1
0
Fork 0
mirror of https://github.com/bluekitchen/btstack.git synced 2025-04-23 11:43:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

avrcp_controller: avoid out of bounds read

Browse Source
This commit is contained in:
Milanka Ringwald 2021-10-25 21:26:26 +02:00
parent 3176c89607
commit 3032b6e116
1 changed files with 4 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/classic/avrcp_controller.c
View File

@ -907,8 +907,7 @@ static void avrcp_handle_l2cap_data_packet_for_signaling_connection(avrcp_connec
switch (capability_id){ switch (capability_id){
case AVRCP_CAPABILITY_ID_COMPANY: case AVRCP_CAPABILITY_ID_COMPANY:
// TODO: avoid out of bounds read for (i = 0; (i < capability_count) && ((size - pos) >= 3); i++){
for (i = 0; i < capability_count; i++){
uint32_t company_id = big_endian_read_24(packet, pos); uint32_t company_id = big_endian_read_24(packet, pos);
pos += 3; pos += 3;
log_info(" 0x%06" PRIx32 ", ", company_id); log_info(" 0x%06" PRIx32 ", ", company_id);
@ -924,7 +923,6 @@ static void avrcp_handle_l2cap_data_packet_for_signaling_connection(avrcp_connec
little_endian_store_24(event, offset, company_id); little_endian_store_24(event, offset, company_id);
offset += 3; offset += 3;
(*avrcp_controller_context.avrcp_callback)(HCI_EVENT_PACKET, 0, event, offset); (*avrcp_controller_context.avrcp_callback)(HCI_EVENT_PACKET, 0, event, offset);
break;
} }
offset = 0; offset = 0;
@ -939,8 +937,7 @@ static void avrcp_handle_l2cap_data_packet_for_signaling_connection(avrcp_connec
break; break;
case AVRCP_CAPABILITY_ID_EVENT: case AVRCP_CAPABILITY_ID_EVENT:
// TODO: avoid out of bounds read for (i = 0; (i < capability_count) && ((size - pos) >= 1); i++){
for (i = 0; i < capability_count; i++){
uint8_t event_id = packet[pos++]; uint8_t event_id = packet[pos++];
log_info(" 0x%02x %s", event_id, avrcp_event2str(event_id)); log_info(" 0x%02x %s", event_id, avrcp_event2str(event_id));