diff options
| author | Johan Hedberg <johan.hedberg@nokia.com> | 2009-02-24 13:30:07 +0200 |
|---|---|---|
| committer | Johan Hedberg <johan.hedberg@nokia.com> | 2009-02-24 13:30:07 +0200 |
| commit | f48c24c3d758934fa5d3edfd49c9a2bced272e5b (patch) | |
| tree | 0ddf1dccfceb7b13475b9a3010182d4e358d96de | |
| parent | 9f7089874b304f036358716a304bbfb2c869297b (diff) | |
Be more strict about codec capability length checks
| -rw-r--r-- | audio/a2dp.c | 30 |
1 files changed, 19 insertions, 11 deletions
diff --git a/audio/a2dp.c b/audio/a2dp.c index 3ce255e8..e633c855 100644 --- a/audio/a2dp.c +++ b/audio/a2dp.c @@ -302,19 +302,27 @@ static gboolean sbc_setconf_ind(struct avdtp *session, /* Check bipool range */ for (codec_cap = NULL; caps; caps = g_slist_next(caps)) { cap = caps->data; - if (cap->category == AVDTP_MEDIA_CODEC) { - codec_cap = (void *) cap->data; - if (codec_cap->media_codec_type == A2DP_CODEC_SBC) { - sbc_cap = (void *) codec_cap; - if (sbc_cap->min_bitpool < MIN_BITPOOL || + if (cap->category != AVDTP_MEDIA_CODEC) + continue; + + if (cap->length < sizeof(struct sbc_codec_cap)) + continue; + + codec_cap = (void *) cap->data; + + if (codec_cap->media_codec_type != A2DP_CODEC_SBC) + continue; + + sbc_cap = (void *) codec_cap; + + if (sbc_cap->min_bitpool < MIN_BITPOOL || sbc_cap->max_bitpool > MAX_BITPOOL) { - *err = AVDTP_UNSUPPORTED_CONFIGURATION; - *category = AVDTP_MEDIA_CODEC; - return FALSE; - } - } - break; + *err = AVDTP_UNSUPPORTED_CONFIGURATION; + *category = AVDTP_MEDIA_CODEC; + return FALSE; } + + break; } avdtp_stream_add_cb(session, stream, stream_state_changed, a2dp_sep); |