[automerger skipped] Merge sc-dev-plus-aosp-without-vendor@7634622 am: a1de4c6517 -s ours am: 883e10b6eb -s ours am: df427d2297 -s ours am: bdfd9b4a76 -s ours
am skip reason: Merged-In Ida30b3f19b975f65b66ef39540dd45c460911b53 with SHA-1 f36a184648 is already in history
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/opt/net/voip/+/15571807
Change-Id: I4363495fd3ad12b5d071a183c347a394608e34d8
diff --git a/src/jni/rtp/Android.bp b/src/jni/rtp/Android.bp
index 325d6b9..ed0117c 100644
--- a/src/jni/rtp/Android.bp
+++ b/src/jni/rtp/Android.bp
@@ -36,7 +36,6 @@
],
shared_libs: [
- "framework-permission-aidl-cpp",
"libandroid_runtime",
"libaudioclient",
"libaudiofoundation",
@@ -44,12 +43,13 @@
"libcutils",
"liblog",
"libnativehelper",
+ "libpermission",
"libstagefright_amrnb_common",
"libutils",
],
static_libs: [
"libgsm",
- "framework-permission-aidl-cpp",
+ "libpermission",
"libstagefright_amrnbdec",
"libstagefright_amrnbenc",
],
diff --git a/src/jni/rtp/AudioGroup.cpp b/src/jni/rtp/AudioGroup.cpp
index e92e799..d041c0f 100644
--- a/src/jni/rtp/AudioGroup.cpp
+++ b/src/jni/rtp/AudioGroup.cpp
@@ -426,17 +426,15 @@
return;
}
int offset = 12 + ((buffer[0] & 0x0F) << 2);
- if (offset+2 >= bufferSize) {
+ // length is guaranteed to be <= buffersize, so it is safe with respect
+ // buffer overflow testing as well as offset into uninitialized buffer
+ if (offset + 2 + (int)sizeof(uint16_t) > length) {
ALOGV("invalid buffer offset: %d", offset+2);
return;
}
if ((buffer[0] & 0x10) != 0) {
offset += 4 + (ntohs(*(uint16_t *)&buffer[offset + 2]) << 2);
}
- if (offset >= bufferSize) {
- ALOGV("invalid buffer offset: %d", offset);
- return;
- }
if ((buffer[0] & 0x20) != 0) {
length -= buffer[length - 1];
}