Don't overflow uint32_t when checking whether maximal number of items was already processed. This happens when avrcp_handle_media_player_list() is called with start_item = 0x0 and end_item = UINT32_MAX which is caused by calling of avrcp_get_media_player_list(). --- profiles/audio/avrcp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c index 70c184b..bfd6238 100644 --- a/profiles/audio/avrcp.c +++ b/profiles/audio/avrcp.c @@ -1895,7 +1895,7 @@ static void avrcp_handle_media_player_list(struct avrcp *session, struct player_item *item; uint16_t namelen; - if (rsp->num_items == (end_item - start_item) + 1) + if (rsp->num_items == ((int64_t) end_item - start_item) + 1) break; folder = (void *)&pdu->params[pdu->param_len]; -- 2.7.4 -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
