Fix read out of bounds in BtifAvEvent::DeepCopy

Bug: 140768453 Change-Id: Ia05e12382ef78a3e07228d09bcf9347f9976bffd (cherry picked from commit 8ac773aa5b2ace322a52e27a2231ac63688219de)
MoKee · Jan 5, 2021 · 0323b27 · 0323b27
1 parent bcb3caf
commit 0323b27
Showing 1 changed file with 18 additions and 18 deletions.
diff --git a/bta/av/bta_av_aact.cc b/bta/av/bta_av_aact.cc
@@ -3929,7 +3929,7 @@ void bta_av_open_at_inc(tBTA_AV_SCB* p_scb, tBTA_AV_DATA* p_data) {
 
 void offload_vendor_callback(tBTM_VSC_CMPL *param)
 {
-  unsigned char status = 0;
+  tBTA_AV value{0};
   unsigned char sub_opcode = 0;
   APPL_TRACE_DEBUG("%s: param_len = %d subopcode = %d status = %d", __func__,
                      param->param_len, param->p_param_buf[1], param->p_param_buf[0]);
@@ -3938,10 +3938,10 @@ void offload_vendor_callback(tBTM_VSC_CMPL *param)
             offload_start.p_scb->vendor_start);
   if (param->param_len)
   {
-    status = param->p_param_buf[0];
+    value.status = param->p_param_buf[0];
   }
   sub_opcode =  param->p_param_buf[1];
-  if (status == 0)
+  if (value.status == 0)
   {
     //sub_opcode =  param->p_param_buf[1];
     switch(sub_opcode)
@@ -3991,8 +3991,8 @@ void offload_vendor_callback(tBTM_VSC_CMPL *param)
             btif_a2dp_src_vsc.vs_configs_exchanged = TRUE;
           else {
             APPL_TRACE_ERROR("Dont send start, stream suspended update fail to Audio");
-            status = 1;//FAIL
-            (*bta_av_cb.p_cback)(BTA_AV_OFFLOAD_START_RSP_EVT, (tBTA_AV*)&status);
+            value.status = 1;//FAIL
+            (*bta_av_cb.p_cback)(BTA_AV_OFFLOAD_START_RSP_EVT, &value);
             break;
           }
 #if (BTA_AV_CO_CP_SCMS_T == TRUE)
@@ -4002,8 +4002,8 @@ void offload_vendor_callback(tBTM_VSC_CMPL *param)
          }else{
             if (last_sent_vsc_cmd == VS_QHCI_START_A2DP_MEDIA) {
                    APPL_TRACE_DEBUG("%s: START VSC already exchanged.", __func__);
-                   status = 0;
-                   (*bta_av_cb.p_cback)(BTA_AV_OFFLOAD_START_RSP_EVT, (tBTA_AV*)&status);
+                   value.status = 0;
+                   (*bta_av_cb.p_cback)(BTA_AV_OFFLOAD_START_RSP_EVT, &value);
                    return;
                }
                last_sent_vsc_cmd = VS_QHCI_START_A2DP_MEDIA;
@@ -4014,8 +4014,8 @@ void offload_vendor_callback(tBTM_VSC_CMPL *param)
 #else
           if (last_sent_vsc_cmd == VS_QHCI_START_A2DP_MEDIA) {
             APPL_TRACE_DEBUG("%s: START VSC already exchanged.", __func__);
-            status = 0;
-            (*bta_av_cb.p_cback)(BTA_AV_OFFLOAD_START_RSP_EVT, (tBTA_AV*)&status);
+            value.status = 0;
+            (*bta_av_cb.p_cback)(BTA_AV_OFFLOAD_START_RSP_EVT, &value);
             return;
           }
           last_sent_vsc_cmd = VS_QHCI_START_A2DP_MEDIA;
@@ -4033,8 +4033,8 @@ void offload_vendor_callback(tBTM_VSC_CMPL *param)
           APPL_TRACE_DEBUG("%s: Last cached VSC command: 0x0%x", __func__, last_sent_vsc_cmd);
           if (last_sent_vsc_cmd == VS_QHCI_START_A2DP_MEDIA) {
             APPL_TRACE_DEBUG("%s: START VSC already exchanged.", __func__);
-            status = 0;
-            (*bta_av_cb.p_cback)(BTA_AV_OFFLOAD_START_RSP_EVT, (tBTA_AV*)&status);
+            value.status = 0;
+            (*bta_av_cb.p_cback)(BTA_AV_OFFLOAD_START_RSP_EVT, &value);
             return;
           }
           last_sent_vsc_cmd = VS_QHCI_START_A2DP_MEDIA;
@@ -4046,11 +4046,11 @@ void offload_vendor_callback(tBTM_VSC_CMPL *param)
         }
       case VS_QHCI_START_A2DP_MEDIA:
           APPL_TRACE_DEBUG("%s: Multi VS_QHCI_START_A2DP_MEDIA successful", __func__);
-          (*bta_av_cb.p_cback)(BTA_AV_OFFLOAD_START_RSP_EVT, (tBTA_AV*)&status);
+          (*bta_av_cb.p_cback)(BTA_AV_OFFLOAD_START_RSP_EVT, &value);
           break;
       case VS_QHCI_STOP_A2DP_MEDIA:
           APPL_TRACE_DEBUG("%s: VS_QHCI_STOP_A2DP_MEDIA successful", __func__);
-          (*bta_av_cb.p_cback)(BTA_AV_OFFLOAD_STOP_RSP_EVT, (tBTA_AV*)&status);
+          (*bta_av_cb.p_cback)(BTA_AV_OFFLOAD_STOP_RSP_EVT, &value);
           if (btif_a2dp_src_vsc.start_reset) {
             bta_av_offload_req(offload_start.p_scb, NULL);
             btif_a2dp_src_vsc.start_reset = false;
@@ -4067,7 +4067,7 @@ void offload_vendor_callback(tBTM_VSC_CMPL *param)
           } else {
             offload_rsp.hndl = offload_start.p_scb->hndl;
           }
-          offload_rsp.status = status;
+          offload_rsp.status = value.status;
           offload_rsp.stream_start = offload_start.stream_start;
           //bta_av_data.start.hndl = offload_start.p_scb->hndl;
           bta_av_data.offload_rsp = offload_rsp;
@@ -4077,8 +4077,8 @@ void offload_vendor_callback(tBTM_VSC_CMPL *param)
       default:
       break;
     }
-  } else if ((status == QHCI_INVALID_VSC && sub_opcode == VS_QHCI_A2DP_OFFLOAD_START)
-      || (status == QHCI_INVALID_VSC && last_sent_vsc_cmd == VS_QHCI_A2DP_OFFLOAD_START)) {
+  } else if ((value.status == QHCI_INVALID_VSC && sub_opcode == VS_QHCI_A2DP_OFFLOAD_START)
+      || (value.status == QHCI_INVALID_VSC && last_sent_vsc_cmd == VS_QHCI_A2DP_OFFLOAD_START)) {
     APPL_TRACE_DEBUG("%s: single VSC failed, sending multi VSC: %d",
                              __func__, param->p_param_buf[1]);
     btif_a2dp_src_vsc.multi_vsc_support = true;
@@ -4097,12 +4097,12 @@ void offload_vendor_callback(tBTM_VSC_CMPL *param)
         } else {
           offload_rsp.hndl = offload_start.p_scb->hndl;
         }
-        offload_rsp.status = status;
+        offload_rsp.status = value.status;
         offload_rsp.stream_start = offload_start.stream_start;
         bta_av_data.offload_rsp = offload_rsp;
         (*bta_av_cb.p_cback)(BTA_AV_OFFLOAD_START_RSP_EVT, &bta_av_data);
       } else {
-        (*bta_av_cb.p_cback)(BTA_AV_OFFLOAD_START_RSP_EVT, (tBTA_AV*)&status);
+        (*bta_av_cb.p_cback)(BTA_AV_OFFLOAD_START_RSP_EVT, &value);
       }
     }
   }