From ec17923aa6e1d2010100afbd06b950e287dd972b Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Thu, 7 Mar 2013 17:11:58 +0200
Subject: [PATCH] AVRCP: Fix not checking for invalid player name length

This adds checks for invalid player name length that could cause crashes
while reading invalid memory.
---
 profiles/audio/avrcp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index 36e137fe7..98a0ea250 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -2093,7 +2093,7 @@ static void avrcp_parse_media_player_item(struct avrcp *session,
 	avrcp_player_parse_features(player, &operands[8]);
 
 	namelen = bt_get_be16(&operands[26]);
-	if (namelen > 0) {
+	if (namelen > 0 && namelen + 28 == len) {
 		namelen = MIN(namelen, sizeof(name) - 1);
 		memcpy(name, &operands[28], namelen);
 		name[namelen] = '\0';
-- 
2.47.3