Google Git
Sign in
android / platform / frameworks / opt / net / voip / 92485a25ba19beaca2a193b3d9e4fa6351f92c09^2..92485a25ba19beaca2a193b3d9e4fa6351f92c09 / .
commit92485a25ba19beaca2a193b3d9e4fa6351f92c09[log] [tgz]
authorXin Li <delphij@google.com>Wed Aug 18 00:24:19 2021 +0000
committerAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>Wed Aug 18 00:24:19 2021 +0000
tree2b393083d369c0e3d37eca44e936e802c5306b12
parentafad476dc56a815cdc4a4a7cd53ef3afcfdfdc6e [diff]
parentbdfd9b4a76260ee66cd5ea7618bfd53fb9a2fc67 [diff]
[automerger skipped] Merge sc-dev-plus-aosp-without-vendor@7634622 am: a1de4c6517 -s ours am: 883e10b6eb -s ours am: df427d2297 -s ours am: bdfd9b4a76 -s ours

am skip reason: Merged-In Ida30b3f19b975f65b66ef39540dd45c460911b53 with SHA-1 f36a184648 is already in history

Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/opt/net/voip/+/15571807

Change-Id: I4363495fd3ad12b5d071a183c347a394608e34d8

diff --git a/src/jni/rtp/Android.bp b/src/jni/rtp/Android.bp
index 325d6b9..ed0117c 100644
--- a/src/jni/rtp/Android.bp
+++ b/src/jni/rtp/Android.bp

@@ -36,7 +36,6 @@
     ],
 
     shared_libs: [
-        "framework-permission-aidl-cpp",
         "libandroid_runtime",
         "libaudioclient",
         "libaudiofoundation",
@@ -44,12 +43,13 @@
         "libcutils",
         "liblog",
         "libnativehelper",
+        "libpermission",
         "libstagefright_amrnb_common",
         "libutils",
     ],
     static_libs: [
         "libgsm",
-        "framework-permission-aidl-cpp",
+        "libpermission",
         "libstagefright_amrnbdec",
         "libstagefright_amrnbenc",
     ],

diff --git a/src/jni/rtp/AudioGroup.cpp b/src/jni/rtp/AudioGroup.cpp
index e92e799..d041c0f 100644
--- a/src/jni/rtp/AudioGroup.cpp
+++ b/src/jni/rtp/AudioGroup.cpp

@@ -426,17 +426,15 @@
             return;
         }
         int offset = 12 + ((buffer[0] & 0x0F) << 2);
-        if (offset+2 >= bufferSize) {
+        // length is guaranteed to be <= buffersize, so it is safe with respect
+        // buffer overflow testing as well as offset into uninitialized buffer
+        if (offset + 2 + (int)sizeof(uint16_t) > length) {
             ALOGV("invalid buffer offset: %d", offset+2);
             return;
         }
         if ((buffer[0] & 0x10) != 0) {
             offset += 4 + (ntohs(*(uint16_t *)&buffer[offset + 2]) << 2);
         }
-        if (offset >= bufferSize) {
-            ALOGV("invalid buffer offset: %d", offset);
-            return;
-        }
         if ((buffer[0] & 0x20) != 0) {
             length -= buffer[length - 1];
         }