AVRCP: Check if len matches number of IDs

If number of attributes remote side provided is larger than the length we read, we would read garbage from stack memory.
2024-11-25 21:24:16 +08:00 · 2011-10-12 12:11:19 -03:00 · 2011-10-12 12:11:19 -03:00 · 7cddeb379d
commit 7cddeb379d
parent 28b3057757
1 changed files with 6 additions and 2 deletions
--- a/audio/avrcp.c
+++ b/audio/avrcp.c
@ -597,12 +597,16 @@ static uint8_t avrcp_handle_get_element_attributes(struct avrcp_player *player,
 	int size;
 	unsigned int i;

-	if (len < 8 || *identifier != 0)
+	if (len < 9 || *identifier != 0)
+		goto err;
+
+	nattr = pdu->params[8];
+
+	if (len < nattr * sizeof(uint32_t) + 1)
 		goto err;

 	len = 0;
 	pos = 1; /* Keep track of current position in reponse */
-	nattr = pdu->params[8];

 	if (!nattr) {
 		/*