File avrcp-Fix-not-checking-if-params_len-match-number-of.patch of Package bluez.29390

From e2b0f0d8d63e1223bb714a9efb37e2257818268b Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Thu, 29 Apr 2021 18:18:57 -0700
Subject: [PATCH] avrcp: Fix not checking if params_len match number of
 received bytes

This makes sure the number of bytes in the params_len matches the
remaining bytes received so the code don't end up accessing invalid
memory.
---
 profiles/audio/avrcp.c | 8 ++++++++
 1 file changed, 8 insertions(+)

Index: bluez-5.48/profiles/audio/avrcp.c
===================================================================
--- bluez-5.48.orig/profiles/audio/avrcp.c
+++ bluez-5.48/profiles/audio/avrcp.c
@@ -1844,6 +1844,14 @@ static size_t handle_vendordep_pdu(struc
 		goto err_metadata;
 	}
 
+	operands += sizeof(*pdu);
+	operand_count -= sizeof(*pdu);
+
+	if (pdu->params_len != operand_count) {
+		DBG("AVRCP PDU parameters length don't match");
+		pdu->params_len = operand_count;
+	}
+
 	for (handler = session->control_handlers; handler->pdu_id; handler++) {
 		if (handler->pdu_id == pdu->pdu_id)
 			break;
openSUSE Build Service is sponsored by