| commit | 668bbca29797728004d88db4c9b69102f3939008 | [log] [tgz] |
|---|---|---|
| author | Hui Peng <phui@google.com> | Wed May 10 23:34:20 2023 +0000 |
| committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | Fri Jul 14 17:32:00 2023 +0000 |
| tree | 5d941804d9edc485838588b482e97aec1f3bca8a | |
| parent | d8d95291f16a8f18f8ffbd6322c14686897c5730 [diff] |
Fix an integer overflow bug in avdt_msg_asmbl Bug: 280633699 Test: manual Ignore-AOSP-First: security Tag: #security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bf9449a704c2983861dbe0ede9ab660e42826179) Merged-In: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2 Change-Id: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2
diff --git a/system/stack/avdt/avdt_msg.cc b/system/stack/avdt/avdt_msg.cc index bfb3909..e6286b8 100644 --- a/system/stack/avdt/avdt_msg.cc +++ b/system/stack/avdt/avdt_msg.cc
@@ -1290,14 +1290,14 @@ * NOTE: The buffer is allocated above at the beginning of the * reassembly, and is always of size BT_DEFAULT_BUFFER_SIZE. */ - uint16_t buf_len = BT_DEFAULT_BUFFER_SIZE - sizeof(BT_HDR); + size_t buf_len = BT_DEFAULT_BUFFER_SIZE - sizeof(BT_HDR); /* adjust offset and len of fragment for header byte */ p_buf->offset += AVDT_LEN_TYPE_CONT; p_buf->len -= AVDT_LEN_TYPE_CONT; /* verify length */ - if ((p_ccb->p_rx_msg->offset + p_buf->len) > buf_len) { + if (((size_t) p_ccb->p_rx_msg->offset + (size_t) p_buf->len) > buf_len) { /* won't fit; free everything */ AVDT_TRACE_WARNING("%s: Fragmented message too big!", __func__); osi_free_and_reset((void**)&p_ccb->p_rx_msg);