commit e600f4d47c2a56538002a317ddee11812ac61a0c
author Xin Li <delphij@google.com> Fri Jun 18 06:51:53 2021 +0000
committer Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Fri Jun 18 06:51:53 2021 +0000
tree 2b393083d369c0e3d37eca44e936e802c5306b12
parent 3633a64c88111b340b660064fa9c9536abc2fa96
parent 8749a3714ca8177f3b23c8ae33beecd8a0d22959

[automerger skipped] DO NOT MERGE - Mark RQ3A.210410.001 as merged am: c21e847348 -s ours am: 3e6f48b1db -s ours am: 8749a3714c -s ours

am skip reason: subject contains skip directive

Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/opt/net/voip/+/15023960

Change-Id: I9e3e0e9d494359d74b3a610504f2b34a12808ea8

src/jni/rtp/Android.bp

diff --git a/src/jni/rtp/Android.bp b/src/jni/rtp/Android.bp
index 325d6b9..ed0117c 100644
--- a/src/jni/rtp/Android.bp
+++ b/src/jni/rtp/Android.bp
@@ -36,7 +36,6 @@
     ],
 
     shared_libs: [
-        "framework-permission-aidl-cpp",
         "libandroid_runtime",
         "libaudioclient",
         "libaudiofoundation",
@@ -44,12 +43,13 @@
         "libcutils",
         "liblog",
         "libnativehelper",
+        "libpermission",
         "libstagefright_amrnb_common",
         "libutils",
     ],
     static_libs: [
         "libgsm",
-        "framework-permission-aidl-cpp",
+        "libpermission",
         "libstagefright_amrnbdec",
         "libstagefright_amrnbenc",
     ],

src/jni/rtp/AudioGroup.cpp

diff --git a/src/jni/rtp/AudioGroup.cpp b/src/jni/rtp/AudioGroup.cpp
index e92e799..d041c0f 100644
--- a/src/jni/rtp/AudioGroup.cpp
+++ b/src/jni/rtp/AudioGroup.cpp
@@ -426,17 +426,15 @@
             return;
         }
         int offset = 12 + ((buffer[0] & 0x0F) << 2);
-        if (offset+2 >= bufferSize) {
+        // length is guaranteed to be <= buffersize, so it is safe with respect
+        // buffer overflow testing as well as offset into uninitialized buffer
+        if (offset + 2 + (int)sizeof(uint16_t) > length) {
             ALOGV("invalid buffer offset: %d", offset+2);
             return;
         }
         if ((buffer[0] & 0x10) != 0) {
             offset += 4 + (ntohs(*(uint16_t *)&buffer[offset + 2]) << 2);
         }
-        if (offset >= bufferSize) {
-            ALOGV("invalid buffer offset: %d", offset);
-            return;
-        }
         if ((buffer[0] & 0x20) != 0) {
             length -= buffer[length - 1];
         }