* [PATCH BlueZ v2 1/5] shared/util: Add strtoutf8 function
2025-07-08 7:08 [PATCH BlueZ v2 0/5] audio/avrcp: Fix crash with invalid UTF-8 item name Frédéric Danis
@ 2025-07-08 7:08 ` Frédéric Danis
2025-07-08 8:32 ` audio/avrcp: Fix crash with invalid UTF-8 item name bluez.test.bot
2025-07-08 13:55 ` [PATCH BlueZ v2 1/5] shared/util: Add strtoutf8 function Luiz Augusto von Dentz
2025-07-08 7:08 ` [PATCH BlueZ v2 2/5] audio/avrcp: Fix crash with invalid UTF-8 item name Frédéric Danis
` (4 subsequent siblings)
5 siblings, 2 replies; 11+ messages in thread
From: Frédéric Danis @ 2025-07-08 7:08 UTC (permalink / raw)
To: linux-bluetooth
This adds the strtoutf8 function that truncate a string before the
first non UTF-8 character.
This truncation is done in place.
---
src/shared/util.c | 42 ++++++++++++++++++++++++++++++++++++++++++
src/shared/util.h | 1 +
2 files changed, 43 insertions(+)
diff --git a/src/shared/util.c b/src/shared/util.c
index 5d3a14d96..5262458cb 100644
--- a/src/shared/util.c
+++ b/src/shared/util.c
@@ -1959,3 +1959,45 @@ bool argsisutf8(int argc, char *argv[])
return true;
}
+
+char *strtoutf8(char *str, size_t len)
+{
+ size_t i = 0;
+
+ while (i < len) {
+ unsigned char c = str[i];
+ size_t size = 0;
+
+ /* Check the first byte to determine the number of bytes in the
+ * UTF-8 character.
+ */
+ if ((c & 0x80) == 0x00)
+ size = 1;
+ else if ((c & 0xE0) == 0xC0)
+ size = 2;
+ else if ((c & 0xF0) == 0xE0)
+ size = 3;
+ else if ((c & 0xF8) == 0xF0)
+ size = 4;
+ else
+ /* Invalid UTF-8 sequence */
+ goto done;
+
+ /* Check the following bytes to ensure they have the correct
+ * format.
+ */
+ for (size_t j = 1; j < size; ++j) {
+ if (i + j > len || (str[i + j] & 0xC0) != 0x80)
+ /* Invalid UTF-8 sequence */
+ goto done;
+ }
+
+ /* Move to the next character */
+ i += size;
+ }
+
+done:
+ /* Truncate to the longest valid UTF-8 string */
+ memset(str + i, 0, len - i);
+ return str;
+}
diff --git a/src/shared/util.h b/src/shared/util.h
index dd357fb93..6fc02a9dc 100644
--- a/src/shared/util.h
+++ b/src/shared/util.h
@@ -92,6 +92,7 @@ int strsuffix(const char *str, const char *suffix);
char *strstrip(char *str);
bool strisutf8(const char *str, size_t length);
bool argsisutf8(int argc, char *argv[]);
+char *strtoutf8(char *str, size_t len);
void *util_malloc(size_t size);
void *util_memdup(const void *src, size_t size);
--
2.43.0
^ permalink raw reply related [flat|nested] 11+ messages in thread* RE: audio/avrcp: Fix crash with invalid UTF-8 item name
2025-07-08 7:08 ` [PATCH BlueZ v2 1/5] shared/util: Add strtoutf8 function Frédéric Danis
@ 2025-07-08 8:32 ` bluez.test.bot
2025-07-08 13:55 ` [PATCH BlueZ v2 1/5] shared/util: Add strtoutf8 function Luiz Augusto von Dentz
1 sibling, 0 replies; 11+ messages in thread
From: bluez.test.bot @ 2025-07-08 8:32 UTC (permalink / raw)
To: linux-bluetooth, frederic.danis
[-- Attachment #1: Type: text/plain, Size: 1261 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=979916
---Test result---
Test Summary:
CheckPatch PENDING 0.26 seconds
GitLint PENDING 0.28 seconds
BuildEll PASS 20.40 seconds
BluezMake PASS 2504.14 seconds
MakeCheck PASS 19.71 seconds
MakeDistcheck PASS 182.72 seconds
CheckValgrind PASS 234.41 seconds
CheckSmatch PASS 304.83 seconds
bluezmakeextell PASS 128.08 seconds
IncrementalBuild PENDING 0.32 seconds
ScanBuild PASS 904.29 seconds
Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:
##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH BlueZ v2 1/5] shared/util: Add strtoutf8 function
2025-07-08 7:08 ` [PATCH BlueZ v2 1/5] shared/util: Add strtoutf8 function Frédéric Danis
2025-07-08 8:32 ` audio/avrcp: Fix crash with invalid UTF-8 item name bluez.test.bot
@ 2025-07-08 13:55 ` Luiz Augusto von Dentz
1 sibling, 0 replies; 11+ messages in thread
From: Luiz Augusto von Dentz @ 2025-07-08 13:55 UTC (permalink / raw)
To: Frédéric Danis; +Cc: linux-bluetooth
Hi Frédéric,
On Tue, Jul 8, 2025 at 3:08 AM Frédéric Danis
<frederic.danis@collabora.com> wrote:
>
> This adds the strtoutf8 function that truncate a string before the
> first non UTF-8 character.
> This truncation is done in place.
> ---
> src/shared/util.c | 42 ++++++++++++++++++++++++++++++++++++++++++
> src/shared/util.h | 1 +
> 2 files changed, 43 insertions(+)
>
> diff --git a/src/shared/util.c b/src/shared/util.c
> index 5d3a14d96..5262458cb 100644
> --- a/src/shared/util.c
> +++ b/src/shared/util.c
> @@ -1959,3 +1959,45 @@ bool argsisutf8(int argc, char *argv[])
>
> return true;
> }
> +
> +char *strtoutf8(char *str, size_t len)
> +{
> + size_t i = 0;
> +
> + while (i < len) {
> + unsigned char c = str[i];
> + size_t size = 0;
> +
> + /* Check the first byte to determine the number of bytes in the
> + * UTF-8 character.
> + */
> + if ((c & 0x80) == 0x00)
> + size = 1;
> + else if ((c & 0xE0) == 0xC0)
> + size = 2;
> + else if ((c & 0xF0) == 0xE0)
> + size = 3;
> + else if ((c & 0xF8) == 0xF0)
> + size = 4;
> + else
> + /* Invalid UTF-8 sequence */
> + goto done;
> +
> + /* Check the following bytes to ensure they have the correct
> + * format.
> + */
> + for (size_t j = 1; j < size; ++j) {
> + if (i + j > len || (str[i + j] & 0xC0) != 0x80)
> + /* Invalid UTF-8 sequence */
> + goto done;
> + }
> +
> + /* Move to the next character */
> + i += size;
> + }
Perhaps we should split this part on its own function or use strisutf8
but somehow return the last valid character found.
> +
> +done:
> + /* Truncate to the longest valid UTF-8 string */
> + memset(str + i, 0, len - i);
> + return str;
> +}
> diff --git a/src/shared/util.h b/src/shared/util.h
> index dd357fb93..6fc02a9dc 100644
> --- a/src/shared/util.h
> +++ b/src/shared/util.h
> @@ -92,6 +92,7 @@ int strsuffix(const char *str, const char *suffix);
> char *strstrip(char *str);
> bool strisutf8(const char *str, size_t length);
> bool argsisutf8(int argc, char *argv[]);
> +char *strtoutf8(char *str, size_t len);
>
> void *util_malloc(size_t size);
> void *util_memdup(const void *src, size_t size);
> --
> 2.43.0
>
>
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH BlueZ v2 2/5] audio/avrcp: Fix crash with invalid UTF-8 item name
2025-07-08 7:08 [PATCH BlueZ v2 0/5] audio/avrcp: Fix crash with invalid UTF-8 item name Frédéric Danis
2025-07-08 7:08 ` [PATCH BlueZ v2 1/5] shared/util: Add strtoutf8 function Frédéric Danis
@ 2025-07-08 7:08 ` Frédéric Danis
2025-07-08 7:08 ` [PATCH BlueZ v2 3/5] audio/mcp: Use strtoutf8 for player name and track title Frédéric Danis
` (3 subsequent siblings)
5 siblings, 0 replies; 11+ messages in thread
From: Frédéric Danis @ 2025-07-08 7:08 UTC (permalink / raw)
To: linux-bluetooth
As stated in AVRCP 1.6.2 chapter 6.10.2.3 Media element item, for the
Displayable Name Length property, the target device may truncate the
item name:
Length of Displayable Name in octets. The name shall be limited such
that a response to a GetFolderItems containing one media player item
fits within the maximum size of PDU which can be received by the CT.
This truncatation may occur in the middle of a multi-byte character,
at least with Samsung Music app, which triggers a DBus assertion and
crashes bluetoothd:
profiles/audio/player.c:media_folder_create_item() Din Dhal Jaye
Haye with lyrics | "दिन ढल जाए
हाय" गाने के बो� type audio uid 1
profiles/audio/player.c:media_folder_create_item()
/org/bluez/hci0/dev_24_24_B7_11_82_6C/player0/NowPlaying/item1
profiles/audio/player.c:media_player_set_metadata() Title: Din Dhal
Jaye Haye with lyrics | "दिन ढल जाए हाय"
गाने के बोल | Guide | Dev Anand, Waheeda Rehman
…
arguments to dbus_message_iter_append_basic() were incorrect,
assertion "_dbus_check_is_valid_utf8 (*string_p)" failed in
file dbus-message.c line 2775.
This is normally a bug in some application using the D-Bus library.
---
profiles/audio/avrcp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index 831f1dc8b..30997335a 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -2595,8 +2595,10 @@ static struct media_item *parse_media_element(struct avrcp *session,
memset(name, 0, sizeof(name));
namesize = get_be16(&operands[11]);
namelen = MIN(namesize, sizeof(name) - 1);
- if (namelen > 0)
+ if (namelen > 0) {
memcpy(name, &operands[13], namelen);
+ strtoutf8(name, namelen);
+ }
count = operands[13 + namesize];
--
2.43.0
^ permalink raw reply related [flat|nested] 11+ messages in thread* [PATCH BlueZ v2 3/5] audio/mcp: Use strtoutf8 for player name and track title
2025-07-08 7:08 [PATCH BlueZ v2 0/5] audio/avrcp: Fix crash with invalid UTF-8 item name Frédéric Danis
2025-07-08 7:08 ` [PATCH BlueZ v2 1/5] shared/util: Add strtoutf8 function Frédéric Danis
2025-07-08 7:08 ` [PATCH BlueZ v2 2/5] audio/avrcp: Fix crash with invalid UTF-8 item name Frédéric Danis
@ 2025-07-08 7:08 ` Frédéric Danis
2025-07-08 7:08 ` [PATCH BlueZ v2 4/5] audio/gap: Use strtoutf8 for GAP device name Frédéric Danis
` (2 subsequent siblings)
5 siblings, 0 replies; 11+ messages in thread
From: Frédéric Danis @ 2025-07-08 7:08 UTC (permalink / raw)
To: linux-bluetooth
Truncate the string to first character before invalid UTF-8 one
instead of replacing non ascii characters by spaces.
---
profiles/audio/mcp.c | 11 +----------
1 file changed, 1 insertion(+), 10 deletions(-)
diff --git a/profiles/audio/mcp.c b/profiles/audio/mcp.c
index d3ccb97c5..5fe7ef82a 100644
--- a/profiles/audio/mcp.c
+++ b/profiles/audio/mcp.c
@@ -72,21 +72,12 @@ static void mcp_debug(const char *str, void *user_data)
static char *name2utf8(const uint8_t *name, uint16_t len)
{
char utf8_name[HCI_MAX_NAME_LENGTH + 2];
- int i;
-
- if (g_utf8_validate((const char *) name, len, NULL))
- return g_strndup((char *) name, len);
len = MIN(len, sizeof(utf8_name) - 1);
memset(utf8_name, 0, sizeof(utf8_name));
strncpy(utf8_name, (char *) name, len);
-
- /* Assume ASCII, and replace all non-ASCII with spaces */
- for (i = 0; utf8_name[i] != '\0'; i++) {
- if (!isascii(utf8_name[i]))
- utf8_name[i] = ' ';
- }
+ strtoutf8(utf8_name, len);
/* Remove leading and trailing whitespace characters */
g_strstrip(utf8_name);
--
2.43.0
^ permalink raw reply related [flat|nested] 11+ messages in thread* [PATCH BlueZ v2 4/5] audio/gap: Use strtoutf8 for GAP device name
2025-07-08 7:08 [PATCH BlueZ v2 0/5] audio/avrcp: Fix crash with invalid UTF-8 item name Frédéric Danis
` (2 preceding siblings ...)
2025-07-08 7:08 ` [PATCH BlueZ v2 3/5] audio/mcp: Use strtoutf8 for player name and track title Frédéric Danis
@ 2025-07-08 7:08 ` Frédéric Danis
2025-07-08 7:08 ` [PATCH BlueZ v2 5/5] eir: Use strtoutf8 for device names Frédéric Danis
2025-07-08 8:05 ` [PATCH BlueZ v2 0/5] audio/avrcp: Fix crash with invalid UTF-8 item name Bastien Nocera
5 siblings, 0 replies; 11+ messages in thread
From: Frédéric Danis @ 2025-07-08 7:08 UTC (permalink / raw)
To: linux-bluetooth
Truncate the string to first character before invalid UTF-8 one
instead of replacing non ascii characters by spaces.
---
profiles/gap/gas.c | 11 +----------
1 file changed, 1 insertion(+), 10 deletions(-)
diff --git a/profiles/gap/gas.c b/profiles/gap/gas.c
index 08aaf19cb..74dabf41f 100644
--- a/profiles/gap/gas.c
+++ b/profiles/gap/gas.c
@@ -69,21 +69,12 @@ static void gas_free(struct gas *gas)
static char *name2utf8(const uint8_t *name, uint16_t len)
{
char utf8_name[HCI_MAX_NAME_LENGTH + 2];
- int i;
-
- if (g_utf8_validate((const char *) name, len, NULL))
- return g_strndup((char *) name, len);
len = MIN(len, sizeof(utf8_name) - 1);
memset(utf8_name, 0, sizeof(utf8_name));
strncpy(utf8_name, (char *) name, len);
-
- /* Assume ASCII, and replace all non-ASCII with spaces */
- for (i = 0; utf8_name[i] != '\0'; i++) {
- if (!isascii(utf8_name[i]))
- utf8_name[i] = ' ';
- }
+ strtoutf8(utf8_name, len);
/* Remove leading and trailing whitespace characters */
g_strstrip(utf8_name);
--
2.43.0
^ permalink raw reply related [flat|nested] 11+ messages in thread* [PATCH BlueZ v2 5/5] eir: Use strtoutf8 for device names
2025-07-08 7:08 [PATCH BlueZ v2 0/5] audio/avrcp: Fix crash with invalid UTF-8 item name Frédéric Danis
` (3 preceding siblings ...)
2025-07-08 7:08 ` [PATCH BlueZ v2 4/5] audio/gap: Use strtoutf8 for GAP device name Frédéric Danis
@ 2025-07-08 7:08 ` Frédéric Danis
2025-07-08 8:05 ` [PATCH BlueZ v2 0/5] audio/avrcp: Fix crash with invalid UTF-8 item name Bastien Nocera
5 siblings, 0 replies; 11+ messages in thread
From: Frédéric Danis @ 2025-07-08 7:08 UTC (permalink / raw)
To: linux-bluetooth
Truncate the string to first character before invalid UTF-8 one
instead of replacing non ascii characters by spaces.
---
src/eir.c | 11 +----------
1 file changed, 1 insertion(+), 10 deletions(-)
diff --git a/src/eir.c b/src/eir.c
index 28b09653c..1e1f76952 100644
--- a/src/eir.c
+++ b/src/eir.c
@@ -127,19 +127,10 @@ static void eir_parse_uuid128(struct eir_data *eir, const uint8_t *data,
static char *name2utf8(const uint8_t *name, uint8_t len)
{
char utf8_name[HCI_MAX_NAME_LENGTH + 2];
- int i;
-
- if (g_utf8_validate((const char *) name, len, NULL))
- return g_strndup((char *) name, len);
memset(utf8_name, 0, sizeof(utf8_name));
strncpy(utf8_name, (char *) name, len);
-
- /* Assume ASCII, and replace all non-ASCII with spaces */
- for (i = 0; utf8_name[i] != '\0'; i++) {
- if (!isascii(utf8_name[i]))
- utf8_name[i] = ' ';
- }
+ strtoutf8(utf8_name, len);
/* Remove leading and trailing whitespace characters */
g_strstrip(utf8_name);
--
2.43.0
^ permalink raw reply related [flat|nested] 11+ messages in thread* Re: [PATCH BlueZ v2 0/5] audio/avrcp: Fix crash with invalid UTF-8 item name
2025-07-08 7:08 [PATCH BlueZ v2 0/5] audio/avrcp: Fix crash with invalid UTF-8 item name Frédéric Danis
` (4 preceding siblings ...)
2025-07-08 7:08 ` [PATCH BlueZ v2 5/5] eir: Use strtoutf8 for device names Frédéric Danis
@ 2025-07-08 8:05 ` Bastien Nocera
2025-07-08 14:01 ` Luiz Augusto von Dentz
5 siblings, 1 reply; 11+ messages in thread
From: Bastien Nocera @ 2025-07-08 8:05 UTC (permalink / raw)
To: Frédéric Danis, linux-bluetooth
On Tue, 2025-07-08 at 09:08 +0200, Frédéric Danis wrote:
> As stated in AVRCP 1.6.2 chapter 6.10.2.3 Media element item, for the
> Displayable Name Length property, the target device may truncate the
> item name:
>
> Length of Displayable Name in octets. The name shall be limited
> such
> that a response to a GetFolderItems containing one media player
> item
> fits within the maximum size of PDU which can be received by the
> CT.
>
> This truncatation may occur in the middle of a multi-byte character,
> at least with Samsung Music app, which triggers a DBus assertion and
> crashes bluetoothd:
>
> profiles/audio/player.c:media_folder_create_item() Din Dhal Jaye
> Haye with lyrics | "दिन ढल जाए
> हाय" गाने के बो� type audio uid 1
> profiles/audio/player.c:media_folder_create_item()
> /org/bluez/hci0/dev_24_24_B7_11_82_6C/player0/NowPlaying/item1
> profiles/audio/player.c:media_player_set_metadata() Title: Din Dhal
> Jaye Haye with lyrics | "दिन ढल जाए हाय"
> गाने के बोल | Guide | Dev Anand, Waheeda Rehman
> …
> arguments to dbus_message_iter_append_basic() were incorrect,
> assertion "_dbus_check_is_valid_utf8 (*string_p)" failed in
> file dbus-message.c line 2775.
> This is normally a bug in some application using the D-Bus library.
>
> v1->v2:
> - Introduce new strtoutf8() util function to truncate a string
> before
> the first non UTF-8 character.
> - Use strtoutf8() for AVRCP media element name
> - Use strtoutf8() for MCP player name and track title
> - Use strtoutf8() for Audio GAP device name
> - Use strtoutf8() for EIR device names
Would be great to have a test case for that new function, with a bunch
of the problems you ran into tested for.
>
> Frédéric Danis (5):
> shared/util: Add strtoutf8 function
> audio/avrcp: Fix crash with invalid UTF-8 item name
> audio/mcp: Use strtoutf8 for player name and track title
> audio/gap: Use strtoutf8 for GAP device name
> eir: Use strtoutf8 for device names
>
> profiles/audio/avrcp.c | 4 +++-
> profiles/audio/mcp.c | 11 +----------
> profiles/gap/gas.c | 11 +----------
> src/eir.c | 11 +----------
> src/shared/util.c | 42
> ++++++++++++++++++++++++++++++++++++++++++
> src/shared/util.h | 1 +
> 6 files changed, 49 insertions(+), 31 deletions(-)
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: [PATCH BlueZ v2 0/5] audio/avrcp: Fix crash with invalid UTF-8 item name
2025-07-08 8:05 ` [PATCH BlueZ v2 0/5] audio/avrcp: Fix crash with invalid UTF-8 item name Bastien Nocera
@ 2025-07-08 14:01 ` Luiz Augusto von Dentz
0 siblings, 0 replies; 11+ messages in thread
From: Luiz Augusto von Dentz @ 2025-07-08 14:01 UTC (permalink / raw)
To: Bastien Nocera; +Cc: Frédéric Danis, linux-bluetooth
Hi Bastien, Frederic,
On Tue, Jul 8, 2025 at 4:05 AM Bastien Nocera <hadess@hadess.net> wrote:
>
> On Tue, 2025-07-08 at 09:08 +0200, Frédéric Danis wrote:
> > As stated in AVRCP 1.6.2 chapter 6.10.2.3 Media element item, for the
> > Displayable Name Length property, the target device may truncate the
> > item name:
> >
> > Length of Displayable Name in octets. The name shall be limited
> > such
> > that a response to a GetFolderItems containing one media player
> > item
> > fits within the maximum size of PDU which can be received by the
> > CT.
> >
> > This truncatation may occur in the middle of a multi-byte character,
> > at least with Samsung Music app, which triggers a DBus assertion and
> > crashes bluetoothd:
> >
> > profiles/audio/player.c:media_folder_create_item() Din Dhal Jaye
> > Haye with lyrics | "दिन ढल जाए
> > हाय" गाने के बो� type audio uid 1
> > profiles/audio/player.c:media_folder_create_item()
> > /org/bluez/hci0/dev_24_24_B7_11_82_6C/player0/NowPlaying/item1
> > profiles/audio/player.c:media_player_set_metadata() Title: Din Dhal
> > Jaye Haye with lyrics | "दिन ढल जाए हाय"
> > गाने के बोल | Guide | Dev Anand, Waheeda Rehman
> > …
> > arguments to dbus_message_iter_append_basic() were incorrect,
> > assertion "_dbus_check_is_valid_utf8 (*string_p)" failed in
> > file dbus-message.c line 2775.
> > This is normally a bug in some application using the D-Bus library.
> >
> > v1->v2:
> > - Introduce new strtoutf8() util function to truncate a string
> > before
> > the first non UTF-8 character.
> > - Use strtoutf8() for AVRCP media element name
> > - Use strtoutf8() for MCP player name and track title
> > - Use strtoutf8() for Audio GAP device name
> > - Use strtoutf8() for EIR device names
>
> Would be great to have a test case for that new function, with a bunch
> of the problems you ran into tested for.
Yep, we do have the likes of test-eir where we can add tests with
names for the devices, we probably want to try with strings where
there are invalid UTF-8 and also using other things like UTF16 and
other string formats to check that it doesn't crash at least.
> >
> > Frédéric Danis (5):
> > shared/util: Add strtoutf8 function
> > audio/avrcp: Fix crash with invalid UTF-8 item name
> > audio/mcp: Use strtoutf8 for player name and track title
> > audio/gap: Use strtoutf8 for GAP device name
> > eir: Use strtoutf8 for device names
> >
> > profiles/audio/avrcp.c | 4 +++-
> > profiles/audio/mcp.c | 11 +----------
> > profiles/gap/gas.c | 11 +----------
> > src/eir.c | 11 +----------
> > src/shared/util.c | 42
> > ++++++++++++++++++++++++++++++++++++++++++
> > src/shared/util.h | 1 +
> > 6 files changed, 49 insertions(+), 31 deletions(-)
>
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 11+ messages in thread