From 53efa32ee044e896efae09a6acc8c5af8d0c437d Mon Sep 17 00:00:00 2001
From: Jin Cheng <jinCheng@espressif.com>
Date: Sat, 11 Oct 2025 14:17:24 +0800
Subject: [PATCH] fix(bt/bluedroid): check event ID if of register notification
 from remote to avoid OOB write

---
 components/bt/host/bluedroid/stack/avrc/avrc_pars_tg.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/components/bt/host/bluedroid/stack/avrc/avrc_pars_tg.c b/components/bt/host/bluedroid/stack/avrc/avrc_pars_tg.c
index a5fed6b2b02..cae87a2a9e0 100644
--- a/components/bt/host/bluedroid/stack/avrc/avrc_pars_tg.c
+++ b/components/bt/host/bluedroid/stack/avrc/avrc_pars_tg.c
@@ -242,7 +242,11 @@ static tAVRC_STS avrc_pars_vendor_cmd(tAVRC_MSG_VENDOR *p_msg, tAVRC_COMMAND *p_
             status = AVRC_STS_INTERNAL_ERR;
         } else {
             BE_STREAM_TO_UINT8 (p_result->reg_notif.event_id, p);
-            BE_STREAM_TO_UINT32 (p_result->reg_notif.param, p);
+            if (AVRC_IS_VALID_EVENT_ID(p_result->reg_notif.event_id)) {
+                BE_STREAM_TO_UINT32 (p_result->reg_notif.param, p);
+            } else {
+                status = AVRC_STS_BAD_PARAM;
+            }
         }
         break;