Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

===================================================================
RCS file: /ftp/cvs/cvsroot/src/usr.sbin/bta2dpd/bta2dpd/avdtp.c,v
rcsdiff: /ftp/cvs/cvsroot/src/usr.sbin/bta2dpd/bta2dpd/avdtp.c,v: warning: Unknown phrases like `commitid ...;' are present.
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- src/usr.sbin/bta2dpd/bta2dpd/avdtp.c	2018/07/25 19:03:50	1.2
+++ src/usr.sbin/bta2dpd/bta2dpd/avdtp.c	2019/08/05 13:39:18	1.3
@@ -1,4 +1,4 @@
-/* $NetBSD: avdtp.c,v 1.2 2018/07/25 19:03:50 kamil Exp $ */
+/* $NetBSD: avdtp.c,v 1.3 2019/08/05 13:39:18 maya Exp $ */
 
 /*-
  * Copyright (c) 2015 - 2016 Nathanial Sloss <nathanialsloss@yahoo.com.au>
@@ -210,7 +210,7 @@ avdtpDiscover(uint8_t *buffer, size_t re
 	bool isSink;
 
 	if (recvsize >= 2) {
-		for (offset = 0;offset < recvsize;offset += 2) {
+		for (offset = 0; offset < recvsize - 1; offset += 2) {
 			sepInfo->sep = buffer[offset] >> 2;
 			sepInfo->media_Type = buffer[offset+1] >> 4;
 			isSink = (buffer[offset+1] >> 3) & 1;
@@ -313,7 +313,7 @@ avdtpAutoConfigSBC(int fd, int recvfd, u
 	uint8_t supBitpoolMin, supBitpoolMax, tmp_mask;
 	size_t i;
 
-	for (i = 0; i < cap_len; i++) {
+	for (i = 0; i < cap_len - 5; i++) {
 		if (capabilities[i] == mediaTransport &&
 		    capabilities[i + 1] == 0 &&
 		    capabilities[i + 2] == mediaCodec &&
@@ -321,7 +321,7 @@ avdtpAutoConfigSBC(int fd, int recvfd, u
 		    capabilities[i + 5] == SBC_CODEC_ID)
 			break;
 	}
-	if (i >= cap_len)
+	if (i >= cap_len - 9)
 		goto auto_config_failed;
 
 	availFreqMode = capabilities[i + 6];