Re: [PATCH BlueZ] audio/avrcp: Fix crash with invalid UTF-8 item name

[Luiz Augusto von Dentz <luiz.dentz@xxxxxxxxx>]

Hi Frédéric,

On Mon, Jul 7, 2025 at 9:51 AM Frédéric Danis
<frederic.danis@xxxxxxxxxxxxx> wrote:
>
> As stated in AVRCP 1.6.2 chapter 6.10.2.3 Media element item, for the
> Displayable Name Length property, the target device may truncate the
> item name:
>
>   Length of Displayable Name in octets. The name shall be limited such
>   that a response to a GetFolderItems containing one media player item
>   fits within the maximum size of PDU which can be received by the CT.
>
> This truncatation may occur in the middle of a multi-byte character,
> at least with Samsung Music app, which triggers a DBus assertion and
> crashes bluetoothd:
>
>   profiles/audio/player.c:media_folder_create_item() Din Dhal Jaye
>       Haye with lyrics | "दिन ढल जाए
>       हाय" गाने के बो� type audio uid 1
>   profiles/audio/player.c:media_folder_create_item()
>       /org/bluez/hci0/dev_24_24_B7_11_82_6C/player0/NowPlaying/item1
>   profiles/audio/player.c:media_player_set_metadata() Title: Din Dhal
>       Jaye Haye with lyrics | "दिन ढल जाए हाय"
>       गाने के बोल | Guide | Dev Anand, Waheeda Rehman
>   …
>   arguments to dbus_message_iter_append_basic() were incorrect,
>       assertion "_dbus_check_is_valid_utf8 (*string_p)" failed in
>       file dbus-message.c line 2775.
>   This is normally a bug in some application using the D-Bus library.
> ---
>  profiles/audio/avrcp.c | 13 +++++++++++++
>  1 file changed, 13 insertions(+)
>
> diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
> index 831f1dc8b..65b40c57f 100644
> --- a/profiles/audio/avrcp.c
> +++ b/profiles/audio/avrcp.c
> @@ -2598,6 +2598,19 @@ static struct media_item *parse_media_element(struct avrcp *session,
>         if (namelen > 0)
>                 memcpy(name, &operands[13], namelen);
>
> +       /* Truncate name to the last valid UTF-8 character */
> +       while (!g_utf8_validate(name, namelen, NULL)) {

Not really sure why you are doing this on a loop?

> +               char *end = g_utf8_find_prev_char(name, name + namelen);
> +
> +               if (end == NULL) {
> +                       name[0] = '\0';
> +                       break;
> +               }
> +
> +               namelen = end - name;
> +               name[namelen] = '\0';
> +       }

This might be a better approach than what the likes of name2utf8 is
doing so I wonder if we should replace that as well, that said I'd
suggest we add something built-in e.g. strtoutf8 and then handle the
truncation in a more generic way.

>         count = operands[13 + namesize];
>
>         player = session->controller->player;
> --
> 2.43.0
>
>


-- 
Luiz Augusto von Dentz