commit 51550677d63880cefa027a54d9a73f6219eafed9
author Michael Bestas <mkbestas@lineageos.org> Fri Jun 28 14:49:40 2024 +0300
committer Michael Bestas <mkbestas@lineageos.org> Fri Jun 28 14:49:40 2024 +0300
tree fae035f3deae41e8e37cc21f2aa27b3cb366224d
parent 9d32845ad36395aa4a2764c1847d9fc0ca7a6344
parent b5fa4126edafc848b167fbac314fd5a0a9e04f57

Merge tag 'LA.QSSI.14.0.r1-15700-qssi.0' into staging/lineage-21.0_merge-LA.QSSI.14.0.r1-15700-qssi.0

LA.QSSI.14.0.r1-15700-qssi.0

# By sarvsaur
# Via Linux Build Service Account (1) and Sarv Saurav (1)
* tag 'LA.QSSI.14.0.r1-15700-qssi.0':
  FM: OOB Write & Read Fix

Change-Id: Id58e87602dd09205d913115555a98322a7e459ff

helium/radio-helium.h

diff --git a/helium/radio-helium.h b/helium/radio-helium.h
index eb6ea9b..864b161 100644
--- a/helium/radio-helium.h
+++ b/helium/radio-helium.h
@@ -614,7 +614,7 @@
 struct hci_ev_af_list {
     int   tune_freq;
     short   pi_code;
-    char    af_size;
+    uint8_t af_size;
     char    af_list[FM_AF_LIST_MAX_SIZE];
 } __attribute__((packed)) ;
 
@@ -688,7 +688,7 @@
 } __attribute__((packed));
 
 struct hci_fm_data_rd_rsp {
-    char    data_len;
+    uint8_t data_len;
     char    data[DEFAULT_DATA_SIZE];
 } ;
 
@@ -750,6 +750,8 @@
 #define AF_SIZE_OFFSET 6
 #define AF_LIST_OFFSET 7
 #define RT_A_B_FLAG_OFFSET 4
+#define RDS_PS_NUMBER_MIN 1
+#define RDS_PS_NUMBER_MAX 12
 /*FM states*/
 
 enum radio_state_t {

helium/radio_helium_hal.c

diff --git a/helium/radio_helium_hal.c b/helium/radio_helium_hal.c
index 79e69f5..7cab27f 100644
--- a/helium/radio_helium_hal.c
+++ b/helium/radio_helium_hal.c
@@ -279,9 +279,10 @@
     hal->jni_cb->fm_get_sig_thres_cb(val, status);
 }
 
-static void hci_cc_default_data_read_rsp(char *ev_buff)
+static void hci_cc_default_data_read_rsp(uint8_t ev_buff[])
 {
-    int status, val= 0, data_len = 0;
+    int status, val= 0;
+    uint8_t data_len = 0;
 
     if (ev_buff == NULL) {
         ALOGE("Response buffer is null");
@@ -291,7 +292,7 @@
     if (status == 0) {
         data_len = ev_buff[1];
         ALOGV("hci_cc_default_data_read_rsp:data_len = %d", data_len);
-        memcpy(&hal->radio->def_data, &ev_buff[1], data_len + sizeof(char));
+        memcpy(&hal->radio->def_data, &ev_buff[1], data_len + sizeof(uint8_t));
 
         if (test_bit(def_data_rd_mask_flag, CMD_DEFRD_AF_RMSSI_TH)) {
             val = hal->radio->def_data.data[AF_RMSSI_TH_OFFSET];
@@ -528,7 +529,7 @@
             hci_cc_sig_threshold_rsp(pbuf);
             break;
     case hci_common_cmd_op_pack(HCI_OCF_FM_DEFAULT_DATA_READ):
-            hci_cc_default_data_read_rsp(pbuf);
+            hci_cc_default_data_read_rsp(&buff[3]);
             break;
     case hci_common_cmd_op_pack(HCI_OCF_FM_DEFAULT_DATA_WRITE):
             hci_cc_default_data_write_rsp(pbuf);
@@ -670,6 +671,15 @@
     int len;
     char *data;
 
+    if (buff == NULL) {
+        ALOGE("%s:%s, buffer is null\n", LOG_TAG,__func__);
+        return;
+    }
+    if (buff[RDS_PS_LENGTH_OFFSET] < RDS_PS_NUMBER_MIN ||
+        buff[RDS_PS_LENGTH_OFFSET] > RDS_PS_NUMBER_MAX) {
+        ALOGE("%s:Invalid PS strings number", LOG_TAG);
+        return;
+    }
     len = (buff[RDS_PS_LENGTH_OFFSET] * RDS_STRING) + RDS_OFFSET;
     data = malloc(len);
     if (!data) {