[automerger skipped] DO NOT MERGE - Mark RQ3A.210410.001 as merged am: c21e847348 -s ours am: 3e6f48b1db -s ours am: 8749a3714c -s ours
am skip reason: subject contains skip directive
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/opt/net/voip/+/15023960
Change-Id: I9e3e0e9d494359d74b3a610504f2b34a12808ea8
diff --git a/src/jni/rtp/Android.bp b/src/jni/rtp/Android.bp
index 325d6b9..ed0117c 100644
--- a/src/jni/rtp/Android.bp
+++ b/src/jni/rtp/Android.bp
@@ -36,7 +36,6 @@
],
shared_libs: [
- "framework-permission-aidl-cpp",
"libandroid_runtime",
"libaudioclient",
"libaudiofoundation",
@@ -44,12 +43,13 @@
"libcutils",
"liblog",
"libnativehelper",
+ "libpermission",
"libstagefright_amrnb_common",
"libutils",
],
static_libs: [
"libgsm",
- "framework-permission-aidl-cpp",
+ "libpermission",
"libstagefright_amrnbdec",
"libstagefright_amrnbenc",
],
diff --git a/src/jni/rtp/AudioGroup.cpp b/src/jni/rtp/AudioGroup.cpp
index e92e799..d041c0f 100644
--- a/src/jni/rtp/AudioGroup.cpp
+++ b/src/jni/rtp/AudioGroup.cpp
@@ -426,17 +426,15 @@
return;
}
int offset = 12 + ((buffer[0] & 0x0F) << 2);
- if (offset+2 >= bufferSize) {
+ // length is guaranteed to be <= buffersize, so it is safe with respect
+ // buffer overflow testing as well as offset into uninitialized buffer
+ if (offset + 2 + (int)sizeof(uint16_t) > length) {
ALOGV("invalid buffer offset: %d", offset+2);
return;
}
if ((buffer[0] & 0x10) != 0) {
offset += 4 + (ntohs(*(uint16_t *)&buffer[offset + 2]) << 2);
}
- if (offset >= bufferSize) {
- ALOGV("invalid buffer offset: %d", offset);
- return;
- }
if ((buffer[0] & 0x20) != 0) {
length -= buffer[length - 1];
}