[automerger skipped] Merge "DO NOT MERGE - Merge RQ3A.210605.005" am: c08addd878 -s ours am: 5ef5b9278f -s ours am: f36a184648 -s ours am: 30a9090c7c -s ours
am skip reason: subject contains skip directive
Original change: https://android-review.googlesource.com/c/platform/frameworks/opt/net/voip/+/1741481
Change-Id: I851f8043806e5a151703a1e7acda9007bf0d866f
diff --git a/src/jni/rtp/Android.bp b/src/jni/rtp/Android.bp
index 325d6b9..ed0117c 100644
--- a/src/jni/rtp/Android.bp
+++ b/src/jni/rtp/Android.bp
@@ -36,7 +36,6 @@
],
shared_libs: [
- "framework-permission-aidl-cpp",
"libandroid_runtime",
"libaudioclient",
"libaudiofoundation",
@@ -44,12 +43,13 @@
"libcutils",
"liblog",
"libnativehelper",
+ "libpermission",
"libstagefright_amrnb_common",
"libutils",
],
static_libs: [
"libgsm",
- "framework-permission-aidl-cpp",
+ "libpermission",
"libstagefright_amrnbdec",
"libstagefright_amrnbenc",
],
diff --git a/src/jni/rtp/AudioGroup.cpp b/src/jni/rtp/AudioGroup.cpp
index e92e799..d041c0f 100644
--- a/src/jni/rtp/AudioGroup.cpp
+++ b/src/jni/rtp/AudioGroup.cpp
@@ -426,17 +426,15 @@
return;
}
int offset = 12 + ((buffer[0] & 0x0F) << 2);
- if (offset+2 >= bufferSize) {
+ // length is guaranteed to be <= buffersize, so it is safe with respect
+ // buffer overflow testing as well as offset into uninitialized buffer
+ if (offset + 2 + (int)sizeof(uint16_t) > length) {
ALOGV("invalid buffer offset: %d", offset+2);
return;
}
if ((buffer[0] & 0x10) != 0) {
offset += 4 + (ntohs(*(uint16_t *)&buffer[offset + 2]) << 2);
}
- if (offset >= bufferSize) {
- ALOGV("invalid buffer offset: %d", offset);
- return;
- }
if ((buffer[0] & 0x20) != 0) {
length -= buffer[length - 1];
}
