From 75a0706dc5aee143d5838363f3d51ff5862d5a4a Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Wed, 7 May 2014 15:08:34 +0300
Subject: [PATCH] android/avrcp-lib: Fix avrcp_get_player_value_text

This fixes avrcp_get_player_value_text which is crashing due to use of
uninitialized memory and generates invalid PDUs.
---
 android/avrcp-lib.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/android/avrcp-lib.c b/android/avrcp-lib.c
index 077343f9b..7f80596c7 100644
--- a/android/avrcp-lib.c
+++ b/android/avrcp-lib.c
@@ -1600,15 +1600,19 @@ int avrcp_get_player_value_text(struct avrcp *session, uint8_t attr,
 					uint8_t number, uint8_t *values)
 {
 	struct iovec iov[2];
+	uint8_t pdu[2];
 
 	if (!number)
 		return -EINVAL;
 
-	iov[0].iov_base = &attr;
-	iov[0].iov_len = sizeof(attr);
+	pdu[0] = attr;
+	pdu[1] = number;
+
+	iov[0].iov_base = pdu;
+	iov[0].iov_len = sizeof(pdu);
 
 	iov[1].iov_base = values;
-	iov[0].iov_len = number;
+	iov[1].iov_len = number;
 
 	return avrcp_send_req(session, AVC_CTYPE_STATUS, AVC_SUBUNIT_PANEL,
 					AVRCP_GET_PLAYER_VALUE_TEXT, iov, 2,
-- 
2.47.3