commit ab28537a44442eff0b5ee0c1c3e2e333c535229b
author Shuo Qian <shuoq@google.com> Thu Apr 01 02:54:55 2021 +0000
committer Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Thu Apr 01 02:54:55 2021 +0000
tree 3c185332d2c9226e4bc5cb8bdbeaa8f9ecea8a28
parent 4c902b471facf03d010f0c35bf1aa96c1e6d347e
parent 0a8d32e972557ec5462ea112a32ebf48b84684bc

Add permission for the broadcast intent with SIP profiles for security purpose. am: 0e459673aa am: 4ba90c33b5 am: 03c525a6bf am: 674a3c79b2 am: 673e019acc am: b3af60eab5 am: 0a8d32e972

Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/opt/net/voip/+/13787771

Change-Id: Ie1cd70d669c88d2d11988ed3cff516450152ac0b

src/jni/rtp/AudioGroup.cpp

diff --git a/src/jni/rtp/AudioGroup.cpp b/src/jni/rtp/AudioGroup.cpp
index e57b7f7..bb5111f 100644
--- a/src/jni/rtp/AudioGroup.cpp
+++ b/src/jni/rtp/AudioGroup.cpp
@@ -431,17 +431,15 @@
             return;
         }
         int offset = 12 + ((buffer[0] & 0x0F) << 2);
-        if (offset+2 >= bufferSize) {
+        // length is guaranteed to be <= buffersize, so it is safe with respect
+        // buffer overflow testing as well as offset into uninitialized buffer
+        if (offset + 2 + (int)sizeof(uint16_t) > length) {
             ALOGV("invalid buffer offset: %d", offset+2);
             return;
         }
         if ((buffer[0] & 0x10) != 0) {
             offset += 4 + (ntohs(*(uint16_t *)&buffer[offset + 2]) << 2);
         }
-        if (offset >= bufferSize) {
-            ALOGV("invalid buffer offset: %d", offset);
-            return;
-        }
         if ((buffer[0] & 0x20) != 0) {
             length -= buffer[length - 1];
         }