[PATCH BlueZ] audio/avrcp: Fix crash with invalid UTF-8 item name

public inbox for linux-bluetooth@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH BlueZ] audio/avrcp: Fix crash with invalid UTF-8 item name
@ 2025-07-07 13:49 Frédéric Danis
  2025-07-07 14:19 ` Luiz Augusto von Dentz
  2025-07-07 15:13 ` [BlueZ] " bluez.test.bot
  0 siblings, 2 replies; 3+ messages in thread
From: Frédéric Danis @ 2025-07-07 13:49 UTC (permalink / raw)
  To: linux-bluetooth

As stated in AVRCP 1.6.2 chapter 6.10.2.3 Media element item, for the
Displayable Name Length property, the target device may truncate the
item name:

  Length of Displayable Name in octets. The name shall be limited such
  that a response to a GetFolderItems containing one media player item
  fits within the maximum size of PDU which can be received by the CT.

This truncatation may occur in the middle of a multi-byte character,
at least with Samsung Music app, which triggers a DBus assertion and
crashes bluetoothd:

  profiles/audio/player.c:media_folder_create_item() Din Dhal Jaye
      Haye with lyrics | "दिन ढल जाए
      हाय" गाने के बो� type audio uid 1
  profiles/audio/player.c:media_folder_create_item()
      /org/bluez/hci0/dev_24_24_B7_11_82_6C/player0/NowPlaying/item1
  profiles/audio/player.c:media_player_set_metadata() Title: Din Dhal
      Jaye Haye with lyrics | "दिन ढल जाए हाय"
      गाने के बोल | Guide | Dev Anand, Waheeda Rehman
  …
  arguments to dbus_message_iter_append_basic() were incorrect,
      assertion "_dbus_check_is_valid_utf8 (*string_p)" failed in
      file dbus-message.c line 2775.
  This is normally a bug in some application using the D-Bus library.
---
 profiles/audio/avrcp.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index 831f1dc8b..65b40c57f 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -2598,6 +2598,19 @@ static struct media_item *parse_media_element(struct avrcp *session,
 	if (namelen > 0)
 		memcpy(name, &operands[13], namelen);
 
+	/* Truncate name to the last valid UTF-8 character */
+	while (!g_utf8_validate(name, namelen, NULL)) {
+		char *end = g_utf8_find_prev_char(name, name + namelen);
+
+		if (end == NULL) {
+			name[0] = '\0';
+			break;
+		}
+
+		namelen = end - name;
+		name[namelen] = '\0';
+	}
+
 	count = operands[13 + namesize];
 
 	player = session->controller->player;
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH BlueZ] audio/avrcp: Fix crash with invalid UTF-8 item name
  2025-07-07 13:49 [PATCH BlueZ] audio/avrcp: Fix crash with invalid UTF-8 item name Frédéric Danis
@ 2025-07-07 14:19 ` Luiz Augusto von Dentz
  2025-07-07 15:13 ` [BlueZ] " bluez.test.bot
  1 sibling, 0 replies; 3+ messages in thread
From: Luiz Augusto von Dentz @ 2025-07-07 14:19 UTC (permalink / raw)
  To: Frédéric Danis; +Cc: linux-bluetooth

Hi Frédéric,

On Mon, Jul 7, 2025 at 9:51 AM Frédéric Danis
<frederic.danis@collabora.com> wrote:
>
> As stated in AVRCP 1.6.2 chapter 6.10.2.3 Media element item, for the
> Displayable Name Length property, the target device may truncate the
> item name:
>
>   Length of Displayable Name in octets. The name shall be limited such
>   that a response to a GetFolderItems containing one media player item
>   fits within the maximum size of PDU which can be received by the CT.
>
> This truncatation may occur in the middle of a multi-byte character,
> at least with Samsung Music app, which triggers a DBus assertion and
> crashes bluetoothd:
>
>   profiles/audio/player.c:media_folder_create_item() Din Dhal Jaye
>       Haye with lyrics | "दिन ढल जाए
>       हाय" गाने के बो� type audio uid 1
>   profiles/audio/player.c:media_folder_create_item()
>       /org/bluez/hci0/dev_24_24_B7_11_82_6C/player0/NowPlaying/item1
>   profiles/audio/player.c:media_player_set_metadata() Title: Din Dhal
>       Jaye Haye with lyrics | "दिन ढल जाए हाय"
>       गाने के बोल | Guide | Dev Anand, Waheeda Rehman
>   …
>   arguments to dbus_message_iter_append_basic() were incorrect,
>       assertion "_dbus_check_is_valid_utf8 (*string_p)" failed in
>       file dbus-message.c line 2775.
>   This is normally a bug in some application using the D-Bus library.
> ---
>  profiles/audio/avrcp.c | 13 +++++++++++++
>  1 file changed, 13 insertions(+)
>
> diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
> index 831f1dc8b..65b40c57f 100644
> --- a/profiles/audio/avrcp.c
> +++ b/profiles/audio/avrcp.c
> @@ -2598,6 +2598,19 @@ static struct media_item *parse_media_element(struct avrcp *session,
>         if (namelen > 0)
>                 memcpy(name, &operands[13], namelen);
>
> +       /* Truncate name to the last valid UTF-8 character */
> +       while (!g_utf8_validate(name, namelen, NULL)) {

Not really sure why you are doing this on a loop?

> +               char *end = g_utf8_find_prev_char(name, name + namelen);
> +
> +               if (end == NULL) {
> +                       name[0] = '\0';
> +                       break;
> +               }
> +
> +               namelen = end - name;
> +               name[namelen] = '\0';
> +       }

This might be a better approach than what the likes of name2utf8 is
doing so I wonder if we should replace that as well, that said I'd
suggest we add something built-in e.g. strtoutf8 and then handle the
truncation in a more generic way.

>         count = operands[13 + namesize];
>
>         player = session->controller->player;
> --
> 2.43.0
>
>


-- 
Luiz Augusto von Dentz

^ permalink raw reply	[flat|nested] 3+ messages in thread

* RE: [BlueZ] audio/avrcp: Fix crash with invalid UTF-8 item name
  2025-07-07 13:49 [PATCH BlueZ] audio/avrcp: Fix crash with invalid UTF-8 item name Frédéric Danis
  2025-07-07 14:19 ` Luiz Augusto von Dentz
@ 2025-07-07 15:13 ` bluez.test.bot
  1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2025-07-07 15:13 UTC (permalink / raw)
  To: linux-bluetooth, frederic.danis

[-- Attachment #1: Type: text/plain, Size: 1261 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=979696

---Test result---

Test Summary:
CheckPatch                    PENDING   0.23 seconds
GitLint                       PENDING   0.30 seconds
BuildEll                      PASS      20.81 seconds
BluezMake                     PASS      2717.29 seconds
MakeCheck                     PASS      20.41 seconds
MakeDistcheck                 PASS      187.70 seconds
CheckValgrind                 PASS      240.32 seconds
CheckSmatch                   PASS      317.72 seconds
bluezmakeextell               PASS      130.27 seconds
IncrementalBuild              PENDING   0.29 seconds
ScanBuild                     PASS      919.27 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2025-07-07 15:13 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-07 13:49 [PATCH BlueZ] audio/avrcp: Fix crash with invalid UTF-8 item name Frédéric Danis
2025-07-07 14:19 ` Luiz Augusto von Dentz
2025-07-07 15:13 ` [BlueZ] " bluez.test.bot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox