diff options
author | Paul McLean <pmclean@google.com> | 2021-02-19 12:05:26 -0700 |
---|---|---|
committer | Paul McLean <pmclean@google.com> | 2021-02-22 11:22:53 -0700 |
commit | 565c5b82e0494a5fb7e1239d69cf25a57e7af83a (patch) | |
tree | 3d4ba6dd80c11697cf42127929d4817e91f4ed26 /src | |
parent | c73ecb155bb1abb7e3016ee70a8b58bf7e8cb4c9 (diff) | |
download | voip-565c5b82e0494a5fb7e1239d69cf25a57e7af83a.tar.gz |
Change offset checks to avoid reading unitialized data.
Previously we were checking against the buffer size.
Bug: 140054506
Test: handed to bferris@ for testing.
Change-Id: I83606aa7fb110fe288631923783a4a1a0383a629
Diffstat (limited to 'src')
-rw-r--r-- | src/jni/rtp/AudioGroup.cpp | 8 |
1 files changed, 3 insertions, 5 deletions
diff --git a/src/jni/rtp/AudioGroup.cpp b/src/jni/rtp/AudioGroup.cpp index 5f9cae8..ee5eae3 100644 --- a/src/jni/rtp/AudioGroup.cpp +++ b/src/jni/rtp/AudioGroup.cpp @@ -422,17 +422,15 @@ void AudioStream::decode(int tick) return; } int offset = 12 + ((buffer[0] & 0x0F) << 2); - if (offset+2 >= bufferSize) { + // length is guaranteed to be <= buffersize, so it is safe with respect + // buffer overflow testing as well as offset into uninitialized buffer + if (offset + 2 + (int)sizeof(uint16_t) > length) { ALOGV("invalid buffer offset: %d", offset+2); return; } if ((buffer[0] & 0x10) != 0) { offset += 4 + (ntohs(*(uint16_t *)&buffer[offset + 2]) << 2); } - if (offset >= bufferSize) { - ALOGV("invalid buffer offset: %d", offset); - return; - } if ((buffer[0] & 0x20) != 0) { length -= buffer[length - 1]; } |