espressif/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2026-04-27 19:13:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(bt/bluedroid): fixed an integer overflow bug in avdt_msg_asmbl

Browse Source
This commit is contained in:
Jin Cheng
2025-10-13 10:08:06 +08:00
parent e92591a07a
commit 04eb410ebc
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
components/bt/host/bluedroid/stack/avdt/avdt_msg.c
+2 -2
View File
@@ -1279,7 +1279,7 @@ BT_HDR *avdt_msg_asmbl(tAVDT_CCB *p_ccb, BT_HDR *p_buf)
UINT8 *p;
UINT8 pkt_type;
BT_HDR *p_ret;
UINT16 buf_len;
size_t buf_len;
/* parse the message header */
p = (UINT8 *)(p_buf + 1) + p_buf->offset;
@@ -1355,7 +1355,7 @@ BT_HDR *avdt_msg_asmbl(tAVDT_CCB *p_ccb, BT_HDR *p_buf)
p_buf->len -= AVDT_LEN_TYPE_CONT;
/* verify length */
if ((p_ccb->p_rx_msg->offset + p_buf->len) > buf_len) {
if (((size_t)p_ccb->p_rx_msg->offset + (size_t)p_buf->len) > buf_len) {
/* won't fit; free everything */
AVDT_TRACE_WARNING("%s: Fragmented message too big!", __func__);
osi_free(p_ccb->p_rx_msg);