commit 60fb9ade729b53214d195bbd451eb8c24f119eae
author Treehugger Robot <treehugger-gerrit@google.com> Wed Apr 14 20:34:12 2021 +0000
committer Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Wed Apr 14 20:34:12 2021 +0000
tree c27617810efc46b96d8ff6c01b78a361f96ecb0e
parent 84a775224e69b38933edfd540a41491c14306c66
parent c8ad014540f03fac91500babb313b20e5d581726

Merge "Open /dev/urandom in O_CLOEXEC mode" am: e6550d3e98 am: 694bef43fc am: 9726373802 am: c8ad014540

Original change: https://android-review.googlesource.com/c/platform/frameworks/opt/net/voip/+/1675808

Change-Id: I36f29ce4510fac16419f4729a483745d1c23de8e

src/jni/rtp/AudioGroup.cpp

diff --git a/src/jni/rtp/AudioGroup.cpp b/src/jni/rtp/AudioGroup.cpp
index 644b414..ace4ab3 100644
--- a/src/jni/rtp/AudioGroup.cpp
+++ b/src/jni/rtp/AudioGroup.cpp
@@ -431,17 +431,15 @@
             return;
         }
         int offset = 12 + ((buffer[0] & 0x0F) << 2);
-        if (offset+2 >= bufferSize) {
+        // length is guaranteed to be <= buffersize, so it is safe with respect
+        // buffer overflow testing as well as offset into uninitialized buffer
+        if (offset + 2 + (int)sizeof(uint16_t) > length) {
             ALOGV("invalid buffer offset: %d", offset+2);
             return;
         }
         if ((buffer[0] & 0x10) != 0) {
             offset += 4 + (ntohs(*(uint16_t *)&buffer[offset + 2]) << 2);
         }
-        if (offset >= bufferSize) {
-            ALOGV("invalid buffer offset: %d", offset);
-            return;
-        }
         if ((buffer[0] & 0x20) != 0) {
             length -= buffer[length - 1];
         }