[automerger skipped] Merge "Fix potential OOB write in libbluetooth" into rvc-dev am: 5473887e4c am: 2d42b47ae1 -s ours
am skip reason: Change-Id I90834b920d61bfb2df9414a25d73ba40033e4748 with SHA-1 5d37d17af5 is in history
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/bt/+/12778870
Change-Id: I84a934e9b7cceaff1be94d8e00d572607d84183e
diff --git a/device/include/interop_database.h b/device/include/interop_database.h
index 52cf78c..54d8bd1 100644
--- a/device/include/interop_database.h
+++ b/device/include/interop_database.h
@@ -151,11 +151,17 @@
// because BR/EDR address and ADV random address are the same
{{{0xd4, 0x7a, 0xe2, 0, 0, 0}}, 3, INTEROP_DISABLE_NAME_REQUEST},
+ // Mazda Carkit
+ {{{0xfc, 0x35, 0xe6, 0, 0, 0}}, 3, INTEROP_AVRCP_1_4_ONLY},
+
// Toyota Car Audio
{{{0x00, 0x17, 0x53, 0, 0, 0}}, 3, INTEROP_AVRCP_1_4_ONLY},
// Honda High End Carkit
{{{0x9c, 0x8d, 0x7c, 0, 0, 0}}, 3, INTEROP_AVRCP_1_4_ONLY},
+
+ // Honda Civic Carkit
+ {{{0x0c, 0xd9, 0xc1, 0, 0, 0}}, 3, INTEROP_AVRCP_1_4_ONLY},
};
typedef struct {
diff --git a/packet/tests/avrcp/avrcp_test_packets.h b/packet/tests/avrcp/avrcp_test_packets.h
index 14e30e7..9028805 100644
--- a/packet/tests/avrcp/avrcp_test_packets.h
+++ b/packet/tests/avrcp/avrcp_test_packets.h
@@ -316,6 +316,10 @@
std::vector<uint8_t> set_browsed_player_request = {0x70, 0x00, 0x02, 0x00,
0x02};
+// AVRCP Set Browsed Player Request with player_id = 0
+std::vector<uint8_t> set_browsed_player_id_0_request = {0x70, 0x00, 0x02, 0x00,
+ 0x00};
+
// AVRCP Set Browsed Player Response with num items = 4 and depth = 0
std::vector<uint8_t> set_browsed_player_response = {
0x70, 0x00, 0x0a, 0x04, 0x00, 0x00, 0x00,
diff --git a/profile/avrcp/device.cc b/profile/avrcp/device.cc
index a7e0e9a..34292d2 100644
--- a/profile/avrcp/device.cc
+++ b/profile/avrcp/device.cc
@@ -1257,6 +1257,14 @@
return;
}
+ if (pkt->GetPlayerId() == 0 && num_items == 0) {
+ // Response fail if no browsable player in Bluetooth Player
+ auto response = SetBrowsedPlayerResponseBuilder::MakeBuilder(
+ Status::PLAYER_NOT_BROWSABLE, 0x0000, num_items, 0, "");
+ send_message(label, true, std::move(response));
+ return;
+ }
+
curr_browsed_player_id_ = pkt->GetPlayerId();
// Clear the path and push the new root.
diff --git a/profile/avrcp/tests/avrcp_device_test.cc b/profile/avrcp/tests/avrcp_device_test.cc
index d221e1b..8d70e43 100644
--- a/profile/avrcp/tests/avrcp_device_test.cc
+++ b/profile/avrcp/tests/avrcp_device_test.cc
@@ -1035,6 +1035,44 @@
SendMessage(1, request);
}
+TEST_F(AvrcpDeviceTest, setBrowsedPlayerTest) {
+ MockMediaInterface interface;
+ NiceMock<MockA2dpInterface> a2dp_interface;
+
+ test_device->RegisterInterfaces(&interface, &a2dp_interface, nullptr);
+
+ EXPECT_CALL(interface, SetBrowsedPlayer(_, _))
+ .Times(3)
+ .WillOnce(InvokeCb<1>(true, "", 0))
+ .WillOnce(InvokeCb<1>(false, "", 0))
+ .WillOnce(InvokeCb<1>(true, "", 2));
+
+ auto not_browsable_rsp = SetBrowsedPlayerResponseBuilder::MakeBuilder(
+ Status::PLAYER_NOT_BROWSABLE, 0x0000, 0, 0, "");
+ EXPECT_CALL(response_cb,
+ Call(1, true, matchPacket(std::move(not_browsable_rsp))))
+ .Times(1);
+
+ auto player_id_0_request =
+ TestBrowsePacket::Make(set_browsed_player_id_0_request);
+ SendBrowseMessage(1, player_id_0_request);
+
+ auto invalid_id_rsp = SetBrowsedPlayerResponseBuilder::MakeBuilder(
+ Status::INVALID_PLAYER_ID, 0x0000, 0, 0, "");
+ EXPECT_CALL(response_cb,
+ Call(2, true, matchPacket(std::move(invalid_id_rsp))))
+ .Times(1);
+
+ SendBrowseMessage(2, player_id_0_request);
+
+ auto response = SetBrowsedPlayerResponseBuilder::MakeBuilder(
+ Status::NO_ERROR, 0x0000, 2, 0, "");
+ EXPECT_CALL(response_cb, Call(3, true, matchPacket(std::move(response))))
+ .Times(1);
+
+ SendBrowseMessage(3, player_id_0_request);
+}
+
TEST_F(AvrcpDeviceTest, volumeChangedTest) {
MockMediaInterface interface;
NiceMock<MockA2dpInterface> a2dp_interface;
diff --git a/stack/smp/smp_br_main.cc b/stack/smp/smp_br_main.cc
index b06055f..2f5fe76 100644
--- a/stack/smp/smp_br_main.cc
+++ b/stack/smp/smp_br_main.cc
@@ -303,7 +303,6 @@
tSMP_BR_STATE curr_state = p_cb->br_state;
tSMP_BR_SM_TBL state_table;
uint8_t action, entry;
- tSMP_BR_ENTRY_TBL entry_table = smp_br_entry_table[p_cb->role];
SMP_TRACE_EVENT("main %s", __func__);
if (curr_state >= SMP_BR_STATE_MAX) {
@@ -317,6 +316,8 @@
return;
}
+ tSMP_BR_ENTRY_TBL entry_table = smp_br_entry_table[p_cb->role];
+
SMP_TRACE_DEBUG("SMP Role: %s State: [%s (%d)], Event: [%s (%d)]",
(p_cb->role == HCI_ROLE_SLAVE) ? "Slave" : "Master",
smp_get_br_state_name(p_cb->br_state), p_cb->br_state,
