From 9b9bd84a4ff64aabdf0fe82922c4edb7afdf7e5f Mon Sep 17 00:00:00 2001
From: Matthias Ringwald <matthias@ringwald.ch>
Date: Tue, 7 Jan 2020 22:13:31 +0100
Subject: [PATCH] hfp_ag_demo, hfp_ag_client_test: avoid out-of-bounds stack
 read

---
 example/hfp_ag_demo.c         | 9 +++++----
 test/hfp/hfp_ag_client_test.c | 9 +++++----
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/example/hfp_ag_demo.c b/example/hfp_ag_demo.c
index 1f58e3f5a..47576c1f3 100644
--- a/example/hfp_ag_demo.c
+++ b/example/hfp_ag_demo.c
@@ -443,10 +443,11 @@ static void packet_handler(uint8_t packet_type, uint16_t channel, uint8_t * even
 
             if (hci_event_packet_get_type(event) != HCI_EVENT_HFP_META) return;
 
-            if (event[3]
-                && hci_event_hfp_meta_get_subevent_code(event) != HFP_SUBEVENT_PLACE_CALL_WITH_NUMBER
-                && hci_event_hfp_meta_get_subevent_code(event) != HFP_SUBEVENT_ATTACH_NUMBER_TO_VOICE_TAG 
-                && hci_event_hfp_meta_get_subevent_code(event) != HFP_SUBEVENT_TRANSMIT_DTMF_CODES){
+            if ((event_size > 3)
+                && (event[3] != 0)
+                && (hci_event_hfp_meta_get_subevent_code(event) != HFP_SUBEVENT_PLACE_CALL_WITH_NUMBER)
+                && (hci_event_hfp_meta_get_subevent_code(event) != HFP_SUBEVENT_ATTACH_NUMBER_TO_VOICE_TAG)
+                && (hci_event_hfp_meta_get_subevent_code(event) != HFP_SUBEVENT_TRANSMIT_DTMF_CODES)){
                 printf("ERROR, status: %u\n", event[3]);
                 return;
             }
diff --git a/test/hfp/hfp_ag_client_test.c b/test/hfp/hfp_ag_client_test.c
index 2cbe28ac0..b70c17a8b 100644
--- a/test/hfp/hfp_ag_client_test.c
+++ b/test/hfp/hfp_ag_client_test.c
@@ -351,10 +351,11 @@ static void packet_handler(uint8_t packet_type, uint16_t channel, uint8_t * even
 
     if (event[0] != HCI_EVENT_HFP_META) return;
 
-    if (event[3]
-        && event[2] != HFP_SUBEVENT_PLACE_CALL_WITH_NUMBER
-        && event[2] != HFP_SUBEVENT_ATTACH_NUMBER_TO_VOICE_TAG 
-        && event[2] != HFP_SUBEVENT_TRANSMIT_DTMF_CODES){
+    if ((event_size > 3)
+        && (event[3] != 0)
+        && (hci_event_hfp_meta_get_subevent_code(event) != HFP_SUBEVENT_PLACE_CALL_WITH_NUMBER)
+        && (hci_event_hfp_meta_get_subevent_code(event) != HFP_SUBEVENT_ATTACH_NUMBER_TO_VOICE_TAG)
+        && (hci_event_hfp_meta_get_subevent_code(event) != HFP_SUBEVENT_TRANSMIT_DTMF_CODES)){
         printf("ERROR, status: %u\n", event[3]);
         return;
     }