Hi Lucas,
On Thu, Oct 6, 2011 at 2:49 PM, Lucas De Marchi
<lucas.demarchi@xxxxxxxxxxxxxx> wrote:
> ---
> audio/avrcp.c | 13 +++++--------
> 1 files changed, 5 insertions(+), 8 deletions(-)
>
> diff --git a/audio/avrcp.c b/audio/avrcp.c
> index 96a0d36..c36af5d 100644
> --- a/audio/avrcp.c
> +++ b/audio/avrcp.c
> @@ -715,12 +715,11 @@ static uint8_t avrcp_handle_set_player_value(struct avrcp_player *player,
> {
> uint16_t len = ntohs(pdu->params_len);
> unsigned int i;
> + uint8_t *param;
>
> - if (len < 3)
> + if (len < 3 || len > 2 * pdu->params[0] + 1U)
> goto err;
>
> - len = 0;
> -
> /*
> * From sec. 5.7 of AVRCP 1.3 spec, we should igore non-existent IDs
> * and set the existent ones. Sec. 5.2.4 is not clear however how to
> @@ -728,11 +727,9 @@ static uint8_t avrcp_handle_set_player_value(struct avrcp_player *player,
> * attribute is valid, we respond with no parameters. Otherwise an
> * E_INVALID_PARAM is sent.
> */
> - for (i = 1; i <= pdu->params[0]; i += 2) {
> - uint8_t attr = pdu->params[i];
> - uint8_t val = pdu->params[i + 1];
> -
> - if (player_set_attribute(player, attr, val) < 0)
> + for (len = 0, i = 0, param = &pdu->params[1]; i < pdu->params[0];
> + i++, param += 2) {
> + if (player_set_attribute(player, param[0], param[1]) < 0)
> continue;
>
> len++;
> --
> 1.7.7
Ack.
--
Luiz Augusto von Dentz
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
