From 06f4737df18c9f760e2d26f6e00597e35db7a936 Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz Date: Tue, 14 Oct 2014 11:20:56 +0300 Subject: [PATCH] android/avrcp-lib: Handle invalid bit of volume Top bit of volume should always be ignored when receiving and should be considered invalid if the application attemps to send it set. --- android/avrcp-lib.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/android/avrcp-lib.c b/android/avrcp-lib.c index a490d76bb..2c3d2e9df 100644 --- a/android/avrcp-lib.c +++ b/android/avrcp-lib.c @@ -1786,12 +1786,19 @@ static gboolean register_notification_rsp(struct avctp *conn, switch (event) { case AVRCP_EVENT_STATUS_CHANGED: + if (pdu->params_len != sizeof(*rsp) + sizeof(uint8_t)) { + err = -EPROTO; + goto done; + } + params = rsp->data; + break; case AVRCP_EVENT_VOLUME_CHANGED: if (pdu->params_len != sizeof(*rsp) + sizeof(uint8_t)) { err = -EPROTO; goto done; } params = rsp->data; + params[0] &= 0x7f; break; case AVRCP_EVENT_TRACK_CHANGED: if (pdu->params_len != sizeof(*rsp) + sizeof(value64)) { @@ -3270,6 +3277,7 @@ int avrcp_register_notification_rsp(struct avrcp *session, uint8_t transaction, { struct iovec iov[2]; uint16_t *player; + uint8_t *volume; if (event > AVRCP_EVENT_LAST) return -EINVAL; @@ -3279,9 +3287,15 @@ int avrcp_register_notification_rsp(struct avrcp *session, uint8_t transaction, switch (event) { case AVRCP_EVENT_STATUS_CHANGED: + if (len != sizeof(uint8_t)) + return -EINVAL; + break; case AVRCP_EVENT_VOLUME_CHANGED: if (len != sizeof(uint8_t)) return -EINVAL; + volume = data; + if (volume[0] > 127) + return -EINVAL; break; case AVRCP_EVENT_TRACK_CHANGED: if (len != sizeof(uint64_t)) -- 2.47.3