[pulseaudio-discuss] [PATCH 2/2] bluetooth: Fix negative array index write

Peter Meerwald-Stadler pmeerw at pmeerw.net
Tue Aug 16 14:06:15 UTC 2016


From: Peter Meerwald <p.meerwald at bct-electronic.com>

CID 1533121

Signed-off-by: Peter Meerwald-Stadler <pmeerw at pmeerw.net>
---
 src/modules/bluetooth/backend-native.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/modules/bluetooth/backend-native.c b/src/modules/bluetooth/backend-native.c
index 86376c0..b5f78f5 100644
--- a/src/modules/bluetooth/backend-native.c
+++ b/src/modules/bluetooth/backend-native.c
@@ -232,13 +232,16 @@ static void rfcomm_io_callback(pa_mainloop_api *io, pa_io_event *e, int fd, pa_i
         int gain;
 
         len = read(fd, buf, 511);
+        if (len < 0) {
+            pa_log_error("RFCOMM read error: %s", pa_cstrerror(errno));
+            goto fail;
+        }
         buf[len] = 0;
         pa_log_debug("RFCOMM << %s", buf);
 
         if (sscanf(buf, "AT+VGS=%d", &gain) == 1) {
           t->speaker_gain = gain;
           pa_hook_fire(pa_bluetooth_discovery_hook(t->device->discovery, PA_BLUETOOTH_HOOK_TRANSPORT_SPEAKER_GAIN_CHANGED), t);
-
         } else if (sscanf(buf, "AT+VGM=%d", &gain) == 1) {
           t->microphone_gain = gain;
           pa_hook_fire(pa_bluetooth_discovery_hook(t->device->discovery, PA_BLUETOOTH_HOOK_TRANSPORT_MICROPHONE_GAIN_CHANGED), t);
@@ -259,7 +262,6 @@ static void rfcomm_io_callback(pa_mainloop_api *io, pa_io_event *e, int fd, pa_i
 fail:
     pa_bluetooth_transport_unlink(t);
     pa_bluetooth_transport_free(t);
-    return;
 }
 
 static void transport_destroy(pa_bluetooth_transport *t) {
-- 
2.9.3



More information about the pulseaudio-discuss mailing list