[bluez/bluez] fb0f8f: audio/player: Ensure metadata string is valid UTF-8

[Pauli Virtanen <noreply@github.com>]

  Branch: refs/heads/master
  Home:   https://github.com/bluez/bluez
  Commit: fb0f8f495ace893f65ee1eaa91e84743ccf62cc9
      https://github.com/bluez/bluez/commit/fb0f8f495ace893f65ee1eaa91e84743ccf62cc9
  Author: Frédéric Danis <frederic.danis@collabora.com>
  Date:   2026-04-13 (Mon, 13 Apr 2026)

  Changed paths:
    M profiles/audio/player.c

  Log Message:
  -----------
  audio/player: Ensure metadata string is valid UTF-8

bluetoothd crashes on reception of GetItemAttributes reply if it contains
an invalid UTF-8 string:

> BR-ACL: Handle 11 [B8:3C:28:E8:07:69 (Apple, Inc.)] flags 0x02 dlen 680
      Channel: 71 len 676 ctrl 0x0304 [PSM 27 mode Enhanced Retransmission
               (0x03)] {chan 7}
      I-frame: Unsegmented TxSeq 2 ReqSeq 3
      AVCTP Browsing: Response: type 0x00 label 2 PID 0x110e
        AVRCP: GetItemAttributes: len 0x029a
          Status: 0x04 (Success)
          AttributeCount: 0x01 (1)
          AttributeID: 0x00000001 (Title)
          CharsetID: 0x006a (UTF-8)
          AttributeLength: 0x0290 (656)
          AttributeValue: ................................................
..........................................................................
.........................................................................2
009.......................................................................
..........................................................................
..........................................................................
..........................................................................
..........................................................................
..........................................................................
................
= bluetoothd: profiles/audio/player.c:media_player_set_playlist_item() 0
= bluetoothd: profiles/audio/player.c:media_player_set_metadata() Title:
  奥巴马表示：美国之所以没有搞定中国，不是因为中国的军事实力以及经济强大
  ，而是因为中国从始至终都没有掉进我们安排的“陷阱”。时间倒回2009年，北京
  钓鱼台国宾馆。奥巴马的随行团队一进门，连句客套话都没顾得上说，反手就把
  随身带的电子设备挨个拔了电源、卸了电池。这阵仗看着像是在防监听，实则是
  心虚。那群在长桌对面坐下的人，心里正翻腾着一种从未有过的无力感。因为眼
  前的谈判对象，压根没打算照着他们兜里的剧本念台词。多年以后，退下来的奥
  巴马在回忆录《应�
arguments to dbus_message_iter_append_basic() were incorrect,
  assertion "_dbus_check_is_valid_utf8 (*string_p)" failed in file
  dbus-message.c line 2775.
This is normally a bug in some application using the D-Bus library.


  Commit: 1ab128f6d749427a5508592b3b2b587b724efccf
      https://github.com/bluez/bluez/commit/1ab128f6d749427a5508592b3b2b587b724efccf
  Author: Pauli Virtanen <pav@iki.fi>
  Date:   2026-04-13 (Mon, 13 Apr 2026)

  Changed paths:
    M src/gatt-database.c

  Log Message:
  -----------
  gatt-database: remove database from dbs list when destroyed

btd_gatt_database_new() adds btd_gatt_database to the dbs lookup queue,
but nothing removes it from there even when destroying.

Fix by removing databases from the lookup queue before destroy.

Fixes crash on adapter removal in some cases:

ERROR: AddressSanitizer: heap-use-after-free on address 0x7bd476be1308
READ of size 8 at 0x7bd476be1308 thread T0
    #0 0x00000064562a in match_db
    #1 0x000000865410 in queue_find
    #2 0x000000645671 in btd_gatt_database_get
0x7bd476be1308 is located 8 bytes inside of 128-byte region [0x7bd476be1300,0x7bd476be>
freed by thread T0 here:
    #0 0x7f1478cee4cf in free.part.0
    #1 0x000000621625 in gatt_database_free
    #2 0x000000645582 in btd_gatt_database_destroy


Compare: https://github.com/bluez/bluez/compare/516099a9d405...1ab128f6d749

To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications