Bug 1125719 - Redial from bluetooth device cause bluetoothd and gecko crash. r=tzimmermann
authorBruce Sun <brsun@mozilla.com>
Mon, 26 Jan 2015 19:07:23 +0800
changeset 239376 88f85a8099caff291d117420b4804023e6b32d27
parent 239375 f3b742b2343270205d8aaac4d703ec0cd38c30c4
child 239377 0e4de8888c3b4a4937ac9d0263a27f881c746392
push id497
push usermleibovic@mozilla.com
push dateWed, 28 Jan 2015 16:43:37 +0000
reviewerstzimmermann
bugs1125719
milestone38.0a1
Bug 1125719 - Redial from bluetooth device cause bluetoothd and gecko crash. r=tzimmermann There is |aPDU.Consume(1)| at the beginning, so |aPDU.GetSize()| becomes 1 less than the actual data length we want to parse. As a result, |memchr()| will always fail by missing the final character by using |aPDU.GetSize()| as its |num| parameter.
dom/bluetooth/bluedroid/BluetoothDaemonHelpers.cpp
--- a/dom/bluetooth/bluedroid/BluetoothDaemonHelpers.cpp
+++ b/dom/bluetooth/bluedroid/BluetoothDaemonHelpers.cpp
@@ -1595,17 +1595,17 @@ UnpackPDU(BluetoothDaemonPDU& aPDU, nsDe
   // of 1 ensures we consume the \0 byte. With 'str' pointing to
   // the string in the PDU, we can copy the actual bytes.
 
   const char* str = reinterpret_cast<const char*>(aPDU.Consume(1));
   if (NS_WARN_IF(!str)) {
     return NS_ERROR_ILLEGAL_VALUE; // end of PDU
   }
 
-  const char* end = static_cast<char*>(memchr(str, '\0', aPDU.GetSize()));
+  const char* end = static_cast<char*>(memchr(str, '\0', aPDU.GetSize() + 1));
   if (NS_WARN_IF(!end)) {
     return NS_ERROR_ILLEGAL_VALUE; // no string terminator
   }
 
   ptrdiff_t len = end - str;
 
   const uint8_t* rest = aPDU.Consume(len);
   if (NS_WARN_IF(!rest)) {