Merge "Open /dev/urandom in O_CLOEXEC mode" am: e6550d3e98 am: 694bef43fc am: 9726373802 am: c8ad014540
Original change: https://android-review.googlesource.com/c/platform/frameworks/opt/net/voip/+/1675808
Change-Id: I36f29ce4510fac16419f4729a483745d1c23de8e
diff --git a/src/jni/rtp/AudioGroup.cpp b/src/jni/rtp/AudioGroup.cpp
index 644b414..ace4ab3 100644
--- a/src/jni/rtp/AudioGroup.cpp
+++ b/src/jni/rtp/AudioGroup.cpp
@@ -431,17 +431,15 @@
return;
}
int offset = 12 + ((buffer[0] & 0x0F) << 2);
- if (offset+2 >= bufferSize) {
+ // length is guaranteed to be <= buffersize, so it is safe with respect
+ // buffer overflow testing as well as offset into uninitialized buffer
+ if (offset + 2 + (int)sizeof(uint16_t) > length) {
ALOGV("invalid buffer offset: %d", offset+2);
return;
}
if ((buffer[0] & 0x10) != 0) {
offset += 4 + (ntohs(*(uint16_t *)&buffer[offset + 2]) << 2);
}
- if (offset >= bufferSize) {
- ALOGV("invalid buffer offset: %d", offset);
- return;
- }
if ((buffer[0] & 0x20) != 0) {
length -= buffer[length - 1];
}