From 89079f2ca635601c1408f8318978c1bc75ca5efd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Danis?= Date: Tue, 8 Jul 2025 17:43:02 +0200 Subject: [PATCH] audio/avrcp: Fix crash with invalid UTF-8 item name MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As stated in AVRCP 1.6.2 chapter 6.10.2.3 Media element item, for the Displayable Name Length property, the target device may truncate the item name: Length of Displayable Name in octets. The name shall be limited such that a response to a GetFolderItems containing one media player item fits within the maximum size of PDU which can be received by the CT. This truncatation may occur in the middle of a multi-byte character, at least with Samsung Music app, which triggers a DBus assertion and crashes bluetoothd: profiles/audio/player.c:media_folder_create_item() Din Dhal Jaye Haye with lyrics | "दिन ढल जाए हाय" गाने के बो� type audio uid 1 profiles/audio/player.c:media_folder_create_item() /org/bluez/hci0/dev_24_24_B7_11_82_6C/player0/NowPlaying/item1 profiles/audio/player.c:media_player_set_metadata() Title: Din Dhal Jaye Haye with lyrics | "दिन ढल जाए हाय" गाने के बोल | Guide | Dev Anand, Waheeda Rehman … arguments to dbus_message_iter_append_basic() were incorrect, assertion "_dbus_check_is_valid_utf8 (*string_p)" failed in file dbus-message.c line 2775. This is normally a bug in some application using the D-Bus library. --- profiles/audio/avrcp.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c index df28bf0b3..b3e69874d 100644 --- a/profiles/audio/avrcp.c +++ b/profiles/audio/avrcp.c @@ -2595,8 +2595,10 @@ static struct media_item *parse_media_element(struct avrcp *session, memset(name, 0, sizeof(name)); namesize = get_be16(&operands[11]); namelen = MIN(namesize, sizeof(name) - 1); - if (namelen > 0) + if (namelen > 0) { memcpy(name, &operands[13], namelen); + strtoutf8(name, namelen); + } count = operands[13 + namesize]; -- 2.47.3