From 08c5766c96c710bd2321290101dd442dd3790f70 Mon Sep 17 00:00:00 2001 From: yangfeng Date: Thu, 19 Mar 2026 20:07:55 +0800 Subject: [PATCH] fix(bt): fix A2DP bta component issues reported by AI review --- components/bt/host/bluedroid/bta/ar/bta_ar.c | 23 ++++---- .../bt/host/bluedroid/bta/av/bta_av_aact.c | 47 ++++++++++++--- .../bt/host/bluedroid/bta/av/bta_av_act.c | 48 ++++++++++++--- .../bt/host/bluedroid/bta/av/bta_av_api.c | 58 +++++++++++++++++-- .../bt/host/bluedroid/bta/av/bta_av_cfg.c | 4 +- .../bt/host/bluedroid/bta/av/bta_av_ci.c | 2 +- .../bt/host/bluedroid/bta/av/bta_av_main.c | 33 ++++++++--- .../bt/host/bluedroid/bta/av/bta_av_sbc.c | 27 +++++---- .../bt/host/bluedroid/bta/av/bta_av_ssm.c | 5 ++ .../bluedroid/bta/av/include/bta_av_int.h | 3 +- 10 files changed, 194 insertions(+), 56 deletions(-) diff --git a/components/bt/host/bluedroid/bta/ar/bta_ar.c b/components/bt/host/bluedroid/bta/ar/bta_ar.c index cd70eeec24..f1b270036c 100644 --- a/components/bt/host/bluedroid/bta/ar/bta_ar.c +++ b/components/bt/host/bluedroid/bta/ar/bta_ar.c @@ -146,10 +146,11 @@ void bta_ar_dereg_avdt(tBTA_SYS_ID sys_id) bta_ar_cb.p_avk_conn_cback = NULL; mask = BTA_AR_AVK_MASK; } - bta_ar_cb.avdt_registered &= ~mask; - - if (bta_ar_cb.avdt_registered == 0) { - AVDT_Deregister(); + if (mask) { + bta_ar_cb.avdt_registered &= ~mask; + if (bta_ar_cb.avdt_registered == 0) { + AVDT_Deregister(); + } } } @@ -170,6 +171,7 @@ void bta_ar_avdt_conn(tBTA_SYS_ID sys_id, BD_ADDR bd_addr) UINT8 event = BTA_AR_AVDT_CONN_EVT; tAVDT_CTRL data; + memset(&data, 0, sizeof(tAVDT_CTRL)); if (sys_id == BTA_ID_AV) { if (bta_ar_cb.p_avk_conn_cback) { (*bta_ar_cb.p_avk_conn_cback)(0, bd_addr, event, &data); @@ -215,10 +217,11 @@ void bta_ar_dereg_avct(tBTA_SYS_ID sys_id) { UINT8 mask = bta_ar_id (sys_id); - bta_ar_cb.avct_registered &= ~mask; - - if (bta_ar_cb.avct_registered == 0) { - AVCT_Deregister(); + if (mask) { + bta_ar_cb.avct_registered &= ~mask; + if (bta_ar_cb.avct_registered == 0) { + AVCT_Deregister(); + } } } @@ -299,12 +302,12 @@ void bta_ar_dereg_avrc(UINT16 service_uuid, tBTA_SYS_ID sys_id) bta_ar_cb.ct_categories [mask - 1] = 0; categories = bta_ar_cb.ct_categories[0] | bta_ar_cb.ct_categories[1]; if (!categories) { - /* no CT is still registered - cleaup */ + /* no CT is still registered - cleanup */ SDP_DeleteRecord(bta_ar_cb.sdp_ct_handle); bta_ar_cb.sdp_ct_handle = 0; bta_sys_remove_uuid(service_uuid); } else { - /* change supported categories to the remaning one */ + /* change supported categories to the remaining one */ p = temp; UINT16_TO_BE_STREAM(p, categories); SDP_AddAttribute(bta_ar_cb.sdp_ct_handle, ATTR_ID_SUPPORTED_FEATURES, UINT_DESC_TYPE, diff --git a/components/bt/host/bluedroid/bta/av/bta_av_aact.c b/components/bt/host/bluedroid/bta/av/bta_av_aact.c index c0e73e670a..1120c9fb0b 100644 --- a/components/bt/host/bluedroid/bta/av/bta_av_aact.c +++ b/components/bt/host/bluedroid/bta/av/bta_av_aact.c @@ -522,6 +522,11 @@ static void bta_av_proc_stream_evt(UINT8 handle, BD_ADDR bd_addr, UINT8 event, t } /* look up application event */ + /* bounds check to avoid out-of-bounds read */ + if (event >= sizeof(bta_av_stream_evt_ok) / sizeof(bta_av_stream_evt_ok[0])) { + osi_free(p_msg); + return; + } if ((p_data == NULL) || (p_data->hdr.err_code == 0)) { p_msg->hdr.event = bta_av_stream_evt_ok[event]; if (p_msg->hdr.event == BTA_AV_STR_START_OK_EVT) { @@ -582,7 +587,7 @@ void bta_av_stream_data_cback(UINT8 handle, BT_HDR *p_pkt, UINT32 time_stamp, UI /* Get SCB and correct sep type*/ for (index = 0; index < BTA_AV_NUM_STRS; index ++ ) { p_scb = bta_av_cb.p_scb[index]; - if ((p_scb->avdt_handle == handle) && (p_scb->seps[p_scb->sep_idx].tsep == AVDT_TSEP_SNK)) { + if (p_scb && (p_scb->avdt_handle == handle) && (p_scb->seps[p_scb->sep_idx].tsep == AVDT_TSEP_SNK)) { break; } } @@ -731,6 +736,7 @@ static void bta_av_a2d_sdp_cback(BOOLEAN found, tA2D_Service *p_service) bta_sys_sendmsg(p_msg); } else { APPL_TRACE_ERROR ("bta_av_a2d_sdp_cback, no scb found for handle(0x%x)", bta_av_cb.handle); + osi_free(p_msg); } } } @@ -1643,7 +1649,7 @@ void bta_av_disc_results (tBTA_AV_SCB *p_scb, tBTA_AV_DATA *p_data) p_data->str_msg.msg.discover_cfm.p_sep_info[i].tsep ); } - for (i = 0; i < p_scb->num_seps; i++) { + for (i = 0; i < num_seps; i++) { /* steam not in use, is a sink, and is audio */ if ((p_scb->sep_info[i].in_use == FALSE) && (p_scb->sep_info[i].media_type == p_scb->media_type)) { @@ -1883,6 +1889,11 @@ void bta_av_getcap_results (tBTA_AV_SCB *p_scb, tBTA_AV_DATA *p_data) UINT16 uuid_int; /* UUID for which connection was initiated */ tBTA_AV_SNK_PSC_CFG psc_cfg = {0}; + if (p_scb->p_cap == NULL) { + APPL_TRACE_ERROR("bta_av_getcap_results: p_cap is NULL"); + bta_av_ssm_execute(p_scb, BTA_AV_STR_GETCAP_FAIL_EVT, p_data); + return; + } memcpy(&cfg, &p_scb->cfg, sizeof(tAVDT_CFG)); cfg.num_codec = 1; cfg.num_protect = p_scb->p_cap->num_protect; @@ -2178,9 +2189,9 @@ void bta_av_reconfig (tBTA_AV_SCB *p_scb, tBTA_AV_DATA *p_data) bta_sys_stop_timer(&p_scb->timer); memcpy(p_cfg, &p_scb->cfg, sizeof(tAVDT_CFG)); - p_cfg->num_protect = p_rcfg->num_protect; + p_cfg->num_protect = (p_rcfg->num_protect <= AVDT_PROTECT_SIZE) ? p_rcfg->num_protect : AVDT_PROTECT_SIZE; memcpy(p_cfg->codec_info, p_rcfg->codec_info, AVDT_CODEC_SIZE); - memcpy(p_cfg->protect_info, p_rcfg->p_protect_info, p_rcfg->num_protect); + memcpy(p_cfg->protect_info, p_rcfg->p_protect_info, p_cfg->num_protect); p_scb->rcfg_idx = p_rcfg->sep_info_idx; p_scb->p_cap->psc_mask = p_scb->cur_psc_mask; @@ -2393,7 +2404,12 @@ void bta_av_start_ok (tBTA_AV_SCB *p_scb, tBTA_AV_DATA *p_data) * If the code were to be re-arranged for some reasons, this number may need to be changed */ p_scb->co_started = bta_av_cb.audio_open_cnt; - flush_to = p_bta_av_cfg->p_audio_flush_to[p_scb->co_started - 1]; + if (p_scb->co_started > 0) { + flush_to = p_bta_av_cfg->p_audio_flush_to[p_scb->co_started - 1]; + } else { + APPL_TRACE_ERROR("bta_av_start_ok: co_started is 0"); + flush_to = p_bta_av_cfg->p_audio_flush_to[0]; + } } else { flush_to = p_bta_av_cfg->video_flush_to; } @@ -2785,7 +2801,11 @@ void bta_av_suspend_cont (tBTA_AV_SCB *p_scb, tBTA_AV_DATA *p_data) if (AVDT_ERR_CONNECT == err_code) { /* report failure */ evt.status = BTA_AV_FAIL; - (*bta_av_cb.p_cback)(BTA_AV_RECONFIG_EVT, (tBTA_AV *)&evt); + evt.chnl = p_scb->chnl; + evt.hndl = p_scb->hndl; + if (bta_av_cb.p_cback) { + (*bta_av_cb.p_cback)(BTA_AV_RECONFIG_EVT, (tBTA_AV *)&evt); + } bta_av_ssm_execute(p_scb, BTA_AV_STR_DISC_FAIL_EVT, NULL); } else { APPL_TRACE_ERROR("suspend rejected, try close"); @@ -2801,9 +2821,18 @@ void bta_av_suspend_cont (tBTA_AV_SCB *p_scb, tBTA_AV_DATA *p_data) } else { APPL_TRACE_DEBUG("bta_av_suspend_cont calling AVDT_ReconfigReq"); /* reconfig the stream */ - - AVDT_ReconfigReq(p_scb->avdt_handle, p_scb->p_cap); - p_scb->p_cap->psc_mask = p_scb->cur_psc_mask; + if (p_scb->p_cap == NULL) { + evt.status = BTA_AV_FAIL; + evt.chnl = p_scb->chnl; + evt.hndl = p_scb->hndl; + if (bta_av_cb.p_cback) { + (*bta_av_cb.p_cback)(BTA_AV_RECONFIG_EVT, (tBTA_AV *)&evt); + } + bta_av_ssm_execute(p_scb, BTA_AV_STR_DISC_FAIL_EVT, NULL); + } else { + AVDT_ReconfigReq(p_scb->avdt_handle, p_scb->p_cap); + p_scb->p_cap->psc_mask = p_scb->cur_psc_mask; + } } } diff --git a/components/bt/host/bluedroid/bta/av/bta_av_act.c b/components/bt/host/bluedroid/bta/av/bta_av_act.c index 434dfa8b22..13d0901e98 100644 --- a/components/bt/host/bluedroid/bta/av/bta_av_act.c +++ b/components/bt/host/bluedroid/bta/av/bta_av_act.c @@ -298,12 +298,18 @@ UINT8 bta_av_rc_create(tBTA_AV_CB *p_cb, UINT8 role, UINT8 shdl, UINT8 lidx) tAVRC_CONN_CB ccb; BD_ADDR_PTR bda = (BD_ADDR_PTR)bd_addr_any; UINT8 status = BTA_AV_RC_ROLE_ACP; - tBTA_AV_SCB *p_scb = p_cb->p_scb[shdl - 1]; + tBTA_AV_SCB *p_scb = NULL; int i; UINT8 rc_handle; tBTA_AV_RCB *p_rcb; + if (shdl > 0 && shdl <= BTA_AV_NUM_STRS) { + p_scb = p_cb->p_scb[shdl - 1]; + } if (role == AVCT_INT) { + if (p_scb == NULL) { + return BTA_AV_RC_HANDLE_NONE; + } bda = p_scb->peer_addr; status = BTA_AV_RC_ROLE_INT; } else { @@ -325,6 +331,11 @@ UINT8 bta_av_rc_create(tBTA_AV_CB *p_cb, UINT8 role, UINT8 shdl, UINT8 lidx) return BTA_AV_RC_HANDLE_NONE; } + if (rc_handle >= BTA_AV_NUM_RCB) { + APPL_TRACE_ERROR("bta_av_rc_create: EINVAL rc_handle %u", rc_handle); + AVRC_Close(rc_handle); + return BTA_AV_RC_HANDLE_NONE; + } i = rc_handle; p_rcb = &p_cb->rcb[i]; @@ -834,7 +845,7 @@ void bta_av_rc_msg(tBTA_AV_CB *p_cb, tBTA_AV_DATA *p_data) tBTA_AV av; BT_HDR *p_pkt = NULL; tAVRC_MSG_VENDOR *p_vendor = &p_data->rc_msg.msg.vendor; - BOOLEAN is_inquiry = ((p_data->rc_msg.msg.hdr.ctype == AVRC_CMD_SPEC_INQ) || p_data->rc_msg.msg.hdr.ctype == AVRC_CMD_GEN_INQ); + BOOLEAN is_inquiry = ((p_data->rc_msg.msg.hdr.ctype == AVRC_CMD_SPEC_INQ) || (p_data->rc_msg.msg.hdr.ctype == AVRC_CMD_GEN_INQ)); #if (AVRC_METADATA_INCLUDED == TRUE) UINT8 ctype = 0; tAVRC_RESPONSE rc_rsp; @@ -936,7 +947,9 @@ void bta_av_rc_msg(tBTA_AV_CB *p_cb, tBTA_AV_DATA *p_data) /* else if not configured to support vendor specific and it's a command */ else if (!(p_cb->features & BTA_AV_FEAT_VENDOR) && p_data->rc_msg.msg.hdr.ctype <= AVRC_CMD_GEN_INQ) { - if (p_data->rc_msg.msg.vendor.p_vendor_data[0] == AVRC_PDU_INVALID) { + if (p_data->rc_msg.msg.vendor.p_vendor_data != NULL && + p_data->rc_msg.msg.vendor.vendor_len >= 5 && + p_data->rc_msg.msg.vendor.p_vendor_data[0] == AVRC_PDU_INVALID) { /* reject it */ p_data->rc_msg.msg.hdr.ctype = BTA_AV_RSP_REJ; p_data->rc_msg.msg.vendor.p_vendor_data[4] = AVRC_STS_BAD_CMD; @@ -1704,11 +1717,16 @@ void bta_av_rc_disc_done(tBTA_AV_DATA *p_data) /* cannot create valid rc_handle for current device. report failure */ APPL_TRACE_ERROR("%s: no link resources available", __func__); p_scb->use_rc = FALSE; + rc_open.rc_handle = BTA_AV_RC_HANDLE_NONE; bdcpy(rc_open.peer_addr, p_scb->peer_addr); rc_open.peer_features = 0; + rc_open.peer_ct_features = 0; + rc_open.peer_tg_features = 0; rc_open.sdp_disc_done = FALSE; rc_open.status = BTA_AV_FAIL_SDP; - (*p_cb->p_cback)(BTA_AV_RC_OPEN_EVT, (tBTA_AV *) &rc_open); + if (p_cb->p_cback) { + (*p_cb->p_cback)(BTA_AV_RC_OPEN_EVT, (tBTA_AV *) &rc_open); + } } } #if (BT_USE_TRACES == TRUE || BT_TRACE_APPL == TRUE) @@ -1719,11 +1737,16 @@ void bta_av_rc_disc_done(tBTA_AV_DATA *p_data) } else if (p_scb->use_rc) { /* can not find AVRC on peer device. report failure */ p_scb->use_rc = FALSE; + rc_open.rc_handle = BTA_AV_RC_HANDLE_NONE; bdcpy(rc_open.peer_addr, p_scb->peer_addr); rc_open.peer_features = 0; + rc_open.peer_ct_features = 0; + rc_open.peer_tg_features = 0; rc_open.sdp_disc_done = FALSE; rc_open.status = BTA_AV_FAIL_SDP; - (*p_cb->p_cback)(BTA_AV_RC_OPEN_EVT, (tBTA_AV *) &rc_open); + if (p_cb->p_cback) { + (*p_cb->p_cback)(BTA_AV_RC_OPEN_EVT, (tBTA_AV *) &rc_open); + } } } } else { @@ -1737,7 +1760,9 @@ void bta_av_rc_disc_done(tBTA_AV_DATA *p_data) rc_feat.peer_features = peer_features; rc_feat.peer_ct_features = peer_ct_features; rc_feat.peer_tg_features = peer_tg_features; - (*p_cb->p_cback)(BTA_AV_RC_FEAT_EVT, (tBTA_AV *) &rc_feat); + if (p_cb->p_cback) { + (*p_cb->p_cback)(BTA_AV_RC_FEAT_EVT, (tBTA_AV *) &rc_feat); + } } } @@ -1866,12 +1891,17 @@ void bta_av_rc_disc(UINT8 disc) if ((disc & BTA_AV_CHNL_MSK) == BTA_AV_CHNL_MSK) { /* this is the rc handle/index to tBTA_AV_RCB */ rc_handle = disc & (~BTA_AV_CHNL_MSK); - if (p_cb->rcb[rc_handle].lidx) { + if (rc_handle < BTA_AV_NUM_RCB && p_cb->rcb[rc_handle].lidx > 0 && + p_cb->rcb[rc_handle].lidx <= (BTA_AV_NUM_LINKS + 1)) { p_addr = p_cb->lcb[p_cb->rcb[rc_handle].lidx - 1].addr; } } else { - hdi = (disc & BTA_AV_HNDL_MSK) - 1; - p_scb = p_cb->p_scb[hdi]; + hdi = (disc & BTA_AV_HNDL_MSK); + if (hdi > 0 && (hdi - 1) < BTA_AV_NUM_STRS) { + p_scb = p_cb->p_scb[hdi - 1]; + } else { + p_scb = NULL; + } if (p_scb) { APPL_TRACE_DEBUG("rc_handle %d", p_scb->rc_handle); diff --git a/components/bt/host/bluedroid/bta/av/bta_av_api.c b/components/bt/host/bluedroid/bta/av/bta_av_api.c index f62d9efe60..b95f7d16c6 100644 --- a/components/bt/host/bluedroid/bta/av/bta_av_api.c +++ b/components/bt/host/bluedroid/bta/av/bta_av_api.c @@ -117,6 +117,7 @@ void BTA_AvRegister(tBTA_AV_CHNL chnl, const char *p_service_name, UINT8 app_id, p_buf->hdr.event = BTA_AV_API_REGISTER_EVT; if (p_service_name) { BCM_STRNCPY_S(p_buf->p_service_name, p_service_name, BTA_SERVICE_NAME_LEN); + p_buf->p_service_name[BTA_SERVICE_NAME_LEN] = '\0'; } else { p_buf->p_service_name[0] = '\0'; } @@ -133,6 +134,9 @@ void BTA_AvRegSEP(tBTA_AV_CHNL chnl, UINT8 seid, UINT8 tsep, tBTA_AV_CODEC codec { tBTA_AV_API_REG_SEP *p_buf; + if (p_codec_info == NULL) { + return; + } if ((p_buf = (tBTA_AV_API_REG_SEP *) osi_malloc(sizeof(tBTA_AV_API_REG_SEP))) != NULL) { p_buf->hdr.layer_specific = chnl; p_buf->hdr.event = BTA_AV_API_REG_SEP_EVT; @@ -344,8 +348,14 @@ void BTA_AvReconfig(tBTA_AV_HNDL hndl, BOOLEAN suspend, UINT8 sep_info_idx, void BTA_AvProtectReq(tBTA_AV_HNDL hndl, UINT8 *p_data, UINT16 len) { tBTA_AV_API_PROTECT_REQ *p_buf; + size_t alloc_size; - if ((p_buf = (tBTA_AV_API_PROTECT_REQ *) osi_malloc((UINT16) (sizeof(tBTA_AV_API_PROTECT_REQ) + len))) != NULL) { + /* Cap allocation size to avoid UINT16 overflow */ + alloc_size = sizeof(tBTA_AV_API_PROTECT_REQ) + len; + if (alloc_size > 0xFFFF) { + return; + } + if ((p_buf = (tBTA_AV_API_PROTECT_REQ *) osi_malloc((UINT16) alloc_size)) != NULL) { p_buf->hdr.layer_specific = hndl; p_buf->hdr.event = BTA_AV_API_PROTECT_REQ_EVT; p_buf->len = len; @@ -374,8 +384,14 @@ void BTA_AvProtectReq(tBTA_AV_HNDL hndl, UINT8 *p_data, UINT16 len) void BTA_AvProtectRsp(tBTA_AV_HNDL hndl, UINT8 error_code, UINT8 *p_data, UINT16 len) { tBTA_AV_API_PROTECT_RSP *p_buf; + size_t alloc_size; - if ((p_buf = (tBTA_AV_API_PROTECT_RSP *) osi_malloc((UINT16) (sizeof(tBTA_AV_API_PROTECT_RSP) + len))) != NULL) { + /* Cap allocation size to avoid UINT16 overflow */ + alloc_size = sizeof(tBTA_AV_API_PROTECT_RSP) + len; + if (alloc_size > UINT16_MAX) { + return; + } + if ((p_buf = (tBTA_AV_API_PROTECT_RSP *) osi_malloc((UINT16) alloc_size)) != NULL) { p_buf->hdr.layer_specific = hndl; p_buf->hdr.event = BTA_AV_API_PROTECT_RSP_EVT; p_buf->len = len; @@ -469,8 +485,14 @@ void BTA_AvRemoteCmd(UINT8 rc_handle, UINT8 label, tBTA_AV_RC rc_id, tBTA_AV_STA void BTA_AvVendorCmd(UINT8 rc_handle, UINT8 label, tBTA_AV_CODE cmd_code, UINT8 *p_data, UINT16 len) { tBTA_AV_API_VENDOR *p_buf; + size_t alloc_size; - if ((p_buf = (tBTA_AV_API_VENDOR *) osi_malloc((UINT16) (sizeof(tBTA_AV_API_VENDOR) + len))) != NULL) { + /* Cap allocation size to avoid UINT16 overflow */ + alloc_size = sizeof(tBTA_AV_API_VENDOR) + len; + if (alloc_size > UINT16_MAX) { + return; + } + if ((p_buf = (tBTA_AV_API_VENDOR *) osi_malloc((UINT16) alloc_size)) != NULL) { p_buf->hdr.event = BTA_AV_API_VENDOR_CMD_EVT; p_buf->hdr.layer_specific = rc_handle; p_buf->msg.hdr.ctype = cmd_code; @@ -504,8 +526,14 @@ void BTA_AvVendorCmd(UINT8 rc_handle, UINT8 label, tBTA_AV_CODE cmd_code, UINT8 void BTA_AvVendorRsp(UINT8 rc_handle, UINT8 label, tBTA_AV_CODE rsp_code, UINT8 *p_data, UINT16 len, UINT32 company_id) { tBTA_AV_API_VENDOR *p_buf; + size_t alloc_size; - if ((p_buf = (tBTA_AV_API_VENDOR *) osi_malloc((UINT16) (sizeof(tBTA_AV_API_VENDOR) + len))) != NULL) { + /* Cap allocation size to avoid UINT16 overflow */ + alloc_size = sizeof(tBTA_AV_API_VENDOR) + len; + if (alloc_size > 0xFFFF) { + return; + } + if ((p_buf = (tBTA_AV_API_VENDOR *) osi_malloc((UINT16) alloc_size)) != NULL) { p_buf->hdr.event = BTA_AV_API_VENDOR_RSP_EVT; p_buf->hdr.layer_specific = rc_handle; p_buf->msg.hdr.ctype = rsp_code; @@ -627,6 +655,8 @@ void BTA_AvMetaCmd(UINT8 rc_handle, UINT8 label, tBTA_AV_CMD cmd_code, BT_HDR *p p_buf->label = label; bta_sys_sendmsg(p_buf); + } else if (p_pkt) { + osi_free(p_pkt); } } @@ -689,14 +719,30 @@ void BTA_AvCaClose(UINT8 rc_handle) void BTA_AvCaGet(UINT8 rc_handle, tBTA_AV_GET_TYPE type, UINT8 *image_handle, UINT8 *image_descriptor, UINT16 image_descriptor_len) { tBTA_AV_API_CA_GET *p_buf; + size_t alloc_size; - if ((p_buf = (tBTA_AV_API_CA_GET *) osi_malloc(sizeof(tBTA_AV_API_CA_GET))) != NULL) { + /* NULL image_handle would cause crash in memcpy; reject early */ + if (image_handle == NULL) { + return; + } + /* Cap allocation size to avoid overflow */ + alloc_size = sizeof(tBTA_AV_API_CA_GET) + image_descriptor_len; + if (alloc_size > 0xFFFF) { + return; + } + if ((p_buf = (tBTA_AV_API_CA_GET *) osi_malloc((UINT16) alloc_size)) != NULL) { p_buf->hdr.event = BTA_AV_API_CA_GET_EVT; p_buf->hdr.layer_specific = rc_handle; p_buf->type = type; memcpy(p_buf->image_handle, image_handle, BTA_AV_CA_IMG_HDL_LEN); - p_buf->image_descriptor = image_descriptor; p_buf->image_descriptor_len = image_descriptor_len; + /* Copy image_descriptor into message to avoid use-after-free when message is async */ + if (image_descriptor != NULL && image_descriptor_len > 0) { + p_buf->image_descriptor = (UINT8 *) (p_buf + 1); + memcpy(p_buf->image_descriptor, image_descriptor, image_descriptor_len); + } else { + p_buf->image_descriptor = NULL; + } bta_sys_sendmsg(p_buf); } } diff --git a/components/bt/host/bluedroid/bta/av/bta_av_cfg.c b/components/bt/host/bluedroid/bta/av/bta_av_cfg.c index ef22d7932b..a7b47b5885 100644 --- a/components/bt/host/bluedroid/bta/av/bta_av_cfg.c +++ b/components/bt/host/bluedroid/bta/av/bta_av_cfg.c @@ -61,7 +61,7 @@ const UINT16 bta_av_audio_flush_to[] = { 0 /* 5 streams */ }; /* AVDTP audio transport channel flush timeout */ -/* Note: Android doesnt support AVRC_SUPF_TG_GROUP_NAVI */ +/* Note: Android doesn't support AVRC_SUPF_TG_GROUP_NAVI */ /* Note: if AVRC_SUPF_TG_GROUP_NAVI is set, bta_av_cfg.avrc_group should be TRUE */ #if AVRC_METADATA_INCLUDED == TRUE #define BTA_AV_RC_SNK_SUPF_TG (AVRC_SUPF_TG_CAT2) /* TODO: | AVRC_SUPF_TG_APP_SETTINGS) */ @@ -105,6 +105,6 @@ const tBTA_AV_CFG bta_av_cfg = { {0}, /* Default AVRCP target name */ }; -tBTA_AV_CFG *p_bta_av_cfg = (tBTA_AV_CFG *) &bta_av_cfg; +const tBTA_AV_CFG *p_bta_av_cfg = &bta_av_cfg; #endif /* if defined(BTA_AV_INCLUDED) && (BTA_AV_INCLUDED == TRUE) */ diff --git a/components/bt/host/bluedroid/bta/av/bta_av_ci.c b/components/bt/host/bluedroid/bta/av/bta_av_ci.c index f1d2e9d0f7..8ffc3cdca5 100644 --- a/components/bt/host/bluedroid/bta/av/bta_av_ci.c +++ b/components/bt/host/bluedroid/bta/av/bta_av_ci.c @@ -82,7 +82,7 @@ void bta_av_ci_setconfig(tBTA_AV_HNDL hndl, UINT8 err_code, UINT8 category, p_buf->category = category; p_buf->recfg_needed = recfg_needed; p_buf->avdt_handle = avdt_handle; - p_buf->num_seid = num_seid; + p_buf->num_seid = (p_seid != NULL) ? num_seid : 0; if (p_seid && num_seid) { memcpy(p_buf->p_seid, p_seid, num_seid); } diff --git a/components/bt/host/bluedroid/bta/av/bta_av_main.c b/components/bt/host/bluedroid/bta/av/bta_av_main.c index cf634f2525..5e08ef5d94 100644 --- a/components/bt/host/bluedroid/bta/av/bta_av_main.c +++ b/components/bt/host/bluedroid/bta/av/bta_av_main.c @@ -368,7 +368,12 @@ static tBTA_AV_SCB *bta_av_alloc_scb(tBTA_AV_CHNL chnl) p_ret->hndl = (tBTA_AV_HNDL)((xx + 1) | chnl); p_ret->hdi = xx; p_ret->a2d_list = list_new(NULL); - bta_av_cb.p_scb[xx] = p_ret; + if (p_ret->a2d_list == NULL) { + osi_free(p_ret); + p_ret = NULL; + } else { + bta_av_cb.p_scb[xx] = p_ret; + } } break; } @@ -417,13 +422,15 @@ void bta_av_conn_cback(UINT8 handle, BD_ADDR bd_addr, UINT8 event, tAVDT_CTRL *p p_scb = bta_av_addr_to_scb(bd_addr); } else if (AVDT_CONNECT_IND_EVT == event) { - APPL_TRACE_DEBUG("CONN_IND is ACP:%d\n", p_data->hdr.err_param); + if (p_data) { + APPL_TRACE_DEBUG("CONN_IND is ACP:%d\n", p_data->hdr.err_param); + } } if ((p_msg = (tBTA_AV_STR_MSG *) osi_malloc((UINT16) (sizeof(tBTA_AV_STR_MSG)))) != NULL) { p_msg->hdr.event = evt; p_msg->hdr.layer_specific = event; - p_msg->hdr.offset = p_data->hdr.err_param; + p_msg->hdr.offset = p_data ? p_data->hdr.err_param : 0; bdcpy(p_msg->bd_addr, bd_addr); if (p_scb) { APPL_TRACE_DEBUG("scb hndl x%x, role x%x\n", p_scb->hndl, p_scb->role); @@ -1264,9 +1271,9 @@ void bta_av_dup_audio_buf(tBTA_AV_SCB *p_scb, BT_HDR *p_buf) if (list_length(p_scbi->a2d_list) > p_bta_av_cfg->audio_mqs) { // Drop the oldest packet bta_av_co_audio_drop(p_scbi->hndl); - BT_HDR *p_buf = list_front(p_scbi->a2d_list); - list_remove(p_scbi->a2d_list, p_buf); - osi_free(p_buf); + BT_HDR *p_buf_drop = list_front(p_scbi->a2d_list); + list_remove(p_scbi->a2d_list, p_buf_drop); + osi_free(p_buf_drop); } } } @@ -1290,6 +1297,10 @@ void bta_av_sm_execute(tBTA_AV_CB *p_cb, UINT16 event, tBTA_AV_DATA *p_data) tBTA_AV_ST_TBL state_table; UINT8 action; + if (p_cb == NULL || p_cb->state >= (sizeof(bta_av_st_tbl) / sizeof(bta_av_st_tbl[0]))) { + return; + } + APPL_TRACE_EVENT("AV event=0x%x state=%d\n", event, p_cb->state); /* look up the state table for the current state */ @@ -1297,6 +1308,10 @@ void bta_av_sm_execute(tBTA_AV_CB *p_cb, UINT16 event, tBTA_AV_DATA *p_data) event &= 0x00FF; + if (event >= (sizeof(bta_av_st_init) / sizeof(bta_av_st_init[0]))) { + return; + } + /* set next state */ p_cb->state = state_table[event][BTA_AV_NEXT_STATE]; APPL_TRACE_EVENT("next state=%d\n", p_cb->state); @@ -1329,8 +1344,10 @@ BOOLEAN bta_av_hdl_event(BT_HDR *p_msg) if (event >= first_event) { APPL_TRACE_VERBOSE("AV nsm event=0x%x(%s)\n", event, bta_av_evt_code(event)); - /* non state machine events */ - (*bta_av_nsm_act[event - BTA_AV_FIRST_NSM_EVT]) ((tBTA_AV_DATA *) p_msg); + if (event <= BTA_AV_LAST_NSM_EVT) { + /* non state machine events */ + (*bta_av_nsm_act[event - BTA_AV_FIRST_NSM_EVT]) ((tBTA_AV_DATA *) p_msg); + } } else if (event >= BTA_AV_FIRST_SM_EVT && event <= BTA_AV_LAST_SM_EVT) { APPL_TRACE_VERBOSE("AV sm event=0x%x(%s)\n", event, bta_av_evt_code(event)); /* state machine events */ diff --git a/components/bt/host/bluedroid/bta/av/bta_av_sbc.c b/components/bt/host/bluedroid/bta/av/bta_av_sbc.c index 3fd3d94bfd..0dea1db7c4 100644 --- a/components/bt/host/bluedroid/bta/av/bta_av_sbc.c +++ b/components/bt/host/bluedroid/bta/av/bta_av_sbc.c @@ -119,7 +119,9 @@ int bta_av_sbc_up_sample (void *p_src, void *p_dst, dst = dst_samples / bta_av_sbc_ups_cb.div; return (*bta_av_sbc_ups_cb.p_act)(p_src, p_dst, src, dst, p_ret); } else { - *p_ret = 0; + if (p_ret) { + *p_ret = 0; + } return 0; } } @@ -212,7 +214,7 @@ int bta_av_sbc_up_sample_16m (void *p_src, void *p_dst, UINT32 src_sps = bta_av_sbc_ups_cb.src_sps; UINT32 dst_sps = bta_av_sbc_ups_cb.dst_sps; - while (bta_av_sbc_ups_cb.cur_pos > 0 && dst_samples) { + while (bta_av_sbc_ups_cb.cur_pos > 0 && dst_samples >= 2) { *p_dst_tmp++ = *p_worker; *p_dst_tmp++ = *p_worker; @@ -224,7 +226,7 @@ int bta_av_sbc_up_sample_16m (void *p_src, void *p_dst, bta_av_sbc_ups_cb.cur_pos = dst_sps; - while (src_samples-- && dst_samples) { + while (src_samples-- && dst_samples >= 2) { *p_worker = *p_src_tmp++; do { @@ -235,7 +237,7 @@ int bta_av_sbc_up_sample_16m (void *p_src, void *p_dst, dst_samples--; dst_samples--; - } while (bta_av_sbc_ups_cb.cur_pos > 0 && dst_samples); + } while (bta_av_sbc_ups_cb.cur_pos > 0 && dst_samples >= 2); bta_av_sbc_ups_cb.cur_pos += dst_sps; } @@ -276,7 +278,7 @@ int bta_av_sbc_up_sample_8s (void *p_src, void *p_dst, UINT32 src_sps = bta_av_sbc_ups_cb.src_sps; UINT32 dst_sps = bta_av_sbc_ups_cb.dst_sps; - while (bta_av_sbc_ups_cb.cur_pos > 0 && dst_samples) { + while (bta_av_sbc_ups_cb.cur_pos > 0 && dst_samples >= 2) { *p_dst_tmp++ = *p_worker1; *p_dst_tmp++ = *p_worker2; @@ -287,7 +289,7 @@ int bta_av_sbc_up_sample_8s (void *p_src, void *p_dst, bta_av_sbc_ups_cb.cur_pos = dst_sps; - while (src_samples -- && dst_samples) { + while (src_samples -- && dst_samples >= 2) { *p_worker1 = *(UINT8 *)p_src_tmp++; *p_worker1 -= 0x80; *p_worker1 <<= 8; @@ -302,7 +304,7 @@ int bta_av_sbc_up_sample_8s (void *p_src, void *p_dst, bta_av_sbc_ups_cb.cur_pos -= src_sps; dst_samples--; dst_samples--; - } while (bta_av_sbc_ups_cb.cur_pos > 0 && dst_samples); + } while (bta_av_sbc_ups_cb.cur_pos > 0 && dst_samples >= 2); bta_av_sbc_ups_cb.cur_pos += dst_sps; } @@ -342,7 +344,7 @@ int bta_av_sbc_up_sample_8m (void *p_src, void *p_dst, UINT32 src_sps = bta_av_sbc_ups_cb.src_sps; UINT32 dst_sps = bta_av_sbc_ups_cb.dst_sps; - while (bta_av_sbc_ups_cb.cur_pos > 0 && dst_samples) { + while (bta_av_sbc_ups_cb.cur_pos > 0 && dst_samples >= 4) { *p_dst_tmp++ = *p_worker; *p_dst_tmp++ = *p_worker; @@ -353,7 +355,7 @@ int bta_av_sbc_up_sample_8m (void *p_src, void *p_dst, bta_av_sbc_ups_cb.cur_pos = dst_sps; - while (src_samples-- && dst_samples) { + while (src_samples-- && dst_samples >= 4) { *p_worker = *(UINT8 *)p_src_tmp++; *p_worker -= 0x80; *p_worker <<= 8; @@ -365,7 +367,7 @@ int bta_av_sbc_up_sample_8m (void *p_src, void *p_dst, bta_av_sbc_ups_cb.cur_pos -= src_sps; dst_samples -= 4; - } while (bta_av_sbc_ups_cb.cur_pos > 0 && dst_samples); + } while (bta_av_sbc_ups_cb.cur_pos > 0 && dst_samples >= 4); bta_av_sbc_ups_cb.cur_pos += dst_sps; } @@ -455,6 +457,11 @@ UINT8 bta_av_sbc_cfg_for_cap(UINT8 *p_peer, tA2D_SBC_CIE *p_cap, tA2D_SBC_CIE *p peer_cie.min_bitpool = p_pref->min_bitpool; } + if (peer_cie.min_bitpool > peer_cie.max_bitpool) { + APPL_TRACE_ERROR("bta_av_sbc_cfg_for_cap: min_bp > max_bp"); + return A2D_FAIL; + } + if (status == A2D_SUCCESS) { /* build configuration */ A2D_BldSbcInfo(A2D_MEDIA_TYPE_AUDIO, &peer_cie, p_peer); diff --git a/components/bt/host/bluedroid/bta/av/bta_av_ssm.c b/components/bt/host/bluedroid/bta/av/bta_av_ssm.c index 15acf51386..4f6dbd8a8f 100644 --- a/components/bt/host/bluedroid/bta/av/bta_av_ssm.c +++ b/components/bt/host/bluedroid/bta/av/bta_av_ssm.c @@ -429,6 +429,11 @@ void bta_av_ssm_execute(tBTA_AV_SCB *p_scb, UINT16 event, tBTA_AV_DATA *p_data) APPL_TRACE_VERBOSE("AV Sevent(0x%x)=0x%x(%s) state=%d(%s)", p_scb->hndl, event, bta_av_evt_code(event), p_scb->state, bta_av_sst_code(p_scb->state)); + if (p_scb->state >= (sizeof(bta_av_sst_tbl) / sizeof(bta_av_sst_tbl[0])) || + event < BTA_AV_FIRST_SSM_EVT || event > BTA_AV_LAST_SSM_EVT) { + return; + } + /* look up the state table for the current state */ state_table = bta_av_sst_tbl[p_scb->state]; diff --git a/components/bt/host/bluedroid/bta/av/include/bta_av_int.h b/components/bt/host/bluedroid/bta/av/include/bta_av_int.h index 40535bb1c3..ac6bd18b18 100644 --- a/components/bt/host/bluedroid/bta/av/include/bta_av_int.h +++ b/components/bt/host/bluedroid/bta/av/include/bta_av_int.h @@ -133,6 +133,7 @@ enum { /* events for AV stream control block state machine */ #define BTA_AV_FIRST_SSM_EVT BTA_AV_API_OPEN_EVT +#define BTA_AV_LAST_SSM_EVT BTA_AV_ACP_CONNECT_EVT /* events that do not go through state machine */ #define BTA_AV_FIRST_NSM_EVT BTA_AV_API_ENABLE_EVT @@ -678,7 +679,7 @@ extern tBTA_AV_CB *bta_av_cb_ptr; #endif /* config struct */ -extern tBTA_AV_CFG *p_bta_av_cfg; +extern const tBTA_AV_CFG *p_bta_av_cfg; extern const tBTA_AV_SACT bta_av_a2d_action[]; extern const tBTA_AV_SACT bta_av_vdp_action[];