diff options
author | android-build-team Robot <android-build-team-robot@google.com> | 2020-03-19 23:08:40 +0000 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2020-03-19 23:08:40 +0000 |
commit | 6d8bee1d706efa928b6303a00f4f6e07f3425ec5 (patch) | |
tree | 010fd5704df43b73287aee7b20d889978fbaeb2a | |
parent | 66e4b1d1cce6d6ee2006e56af215bb20cb9ea820 (diff) | |
parent | 0fef164d3d1f5c4e963b8142c6f9bee2ab1becc8 (diff) | |
download | voip-android10-qpr3-release.tar.gz |
Snap for 6313343 from 0fef164d3d1f5c4e963b8142c6f9bee2ab1becc8 to qt-qpr3-releaseandroid-10.0.0_r41android-10.0.0_r40android-10.0.0_r39android-10.0.0_r38android-10.0.0_r37android10-qpr3-s1-releaseandroid10-qpr3-release
Change-Id: Ifc081120dc520951011defe1135005adbdf22c8b
-rw-r--r-- | src/jni/rtp/AudioGroup.cpp | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/src/jni/rtp/AudioGroup.cpp b/src/jni/rtp/AudioGroup.cpp index aa3fc66..e01fbca 100644 --- a/src/jni/rtp/AudioGroup.cpp +++ b/src/jni/rtp/AudioGroup.cpp @@ -412,20 +412,29 @@ void AudioStream::decode(int tick) sockaddr_storage remote; socklen_t addrlen = sizeof(remote); - int length = recvfrom(mSocket, buffer, sizeof(buffer), + int bufferSize = sizeof(buffer); + int length = recvfrom(mSocket, buffer, bufferSize, MSG_TRUNC | MSG_DONTWAIT, (sockaddr *)&remote, &addrlen); // Do we need to check SSRC, sequence, and timestamp? They are not // reliable but at least they can be used to identify duplicates? - if (length < 12 || length > (int)sizeof(buffer) || + if (length < 12 || length > bufferSize || (ntohl(*(uint32_t *)buffer) & 0xC07F0000) != mCodecMagic) { ALOGV("stream[%d] malformed packet", mSocket); return; } int offset = 12 + ((buffer[0] & 0x0F) << 2); + if (offset+2 >= bufferSize) { + ALOGV("invalid buffer offset: %d", offset+2); + return; + } if ((buffer[0] & 0x10) != 0) { offset += 4 + (ntohs(*(uint16_t *)&buffer[offset + 2]) << 2); } + if (offset >= bufferSize) { + ALOGV("invalid buffer offset: %d", offset); + return; + } if ((buffer[0] & 0x20) != 0) { length -= buffer[length - 1]; } |