From 91ef2747b630c549e2f206eb398212476d6ff81c Mon Sep 17 00:00:00 2001
From: Zhang Hai Peng <zhanghaipeng@espressif.com>
Date: Fri, 15 Aug 2025 14:54:07 +0800
Subject: [PATCH] fix(ble/bluedroid): Fixed potential out-of-bounds memory
 access when resolve adv data

(cherry picked from commit 12df54e8d16486fcba8263b8f2b9b8d3a8992703)

Co-authored-by: zhanghaipeng <zhanghaipeng@espressif.com>
---
 components/bt/host/bluedroid/stack/btm/btm_ble_gap.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/components/bt/host/bluedroid/stack/btm/btm_ble_gap.c b/components/bt/host/bluedroid/stack/btm/btm_ble_gap.c
index f3886643d9..b063aefd9b 100644
--- a/components/bt/host/bluedroid/stack/btm/btm_ble_gap.c
+++ b/components/bt/host/bluedroid/stack/btm/btm_ble_gap.c
@@ -2071,6 +2071,13 @@ UINT8 *BTM_CheckAdvData( UINT8 *p_adv, UINT16 adv_data_len, UINT8 type, UINT8 *p
         STREAM_TO_UINT8(adv_type, p);
 
         if ( adv_type == type ) {
+
+            if((p + length - 1) > (p_adv + adv_data_len)) {
+                /* avoid memory overflow*/
+                *p_length = 0;
+                return NULL;
+            }
+
             /* length doesn't include itself */
             *p_length = length - 1; /* minus the length of type */
             return p;