Change offset checks to avoid reading unitialized data.

Previously we were checking against the buffer size. Bug: 140054506 Test: handed to bferris@ for testing. Change-Id: I83606aa7fb110fe288631923783a4a1a0383a629
author: Paul McLean <pmclean@google.com> 2021-02-19 12:05:26 -0700
committer: Paul McLean <pmclean@google.com> 2021-02-22 11:22:53 -0700
commit: 565c5b82e0494a5fb7e1239d69cf25a57e7af83a (patch)
tree: 3d4ba6dd80c11697cf42127929d4817e91f4ed26 /src
parent: c73ecb155bb1abb7e3016ee70a8b58bf7e8cb4c9 (diff)
download: voip-565c5b82e0494a5fb7e1239d69cf25a57e7af83a.tar.gz
1 files changed, 3 insertions, 5 deletions
diff --git a/src/jni/rtp/AudioGroup.cpp b/src/jni/rtp/AudioGroup.cpp
index 5f9cae8..ee5eae3 100644
--- a/src/jni/rtp/AudioGroup.cpp
+++ b/src/jni/rtp/AudioGroup.cpp
@@ -422,17 +422,15 @@ void AudioStream::decode(int tick)
             return;
         }
         int offset = 12 + ((buffer[0] & 0x0F) << 2);
-        if (offset+2 >= bufferSize) {
+        // length is guaranteed to be <= buffersize, so it is safe with respect
+        // buffer overflow testing as well as offset into uninitialized buffer
+        if (offset + 2 + (int)sizeof(uint16_t) > length) {
             ALOGV("invalid buffer offset: %d", offset+2);
             return;
         }
         if ((buffer[0] & 0x10) != 0) {
             offset += 4 + (ntohs(*(uint16_t *)&buffer[offset + 2]) << 2);
         }
-        if (offset >= bufferSize) {
-            ALOGV("invalid buffer offset: %d", offset);
-            return;
-        }
         if ((buffer[0] & 0x20) != 0) {
             length -= buffer[length - 1];
         }
author	Paul McLean <pmclean@google.com>	2021-02-19 12:05:26 -0700
committer	Paul McLean <pmclean@google.com>	2021-02-22 11:22:53 -0700
commit	565c5b82e0494a5fb7e1239d69cf25a57e7af83a (patch)
tree	3d4ba6dd80c11697cf42127929d4817e91f4ed26 /src
parent	c73ecb155bb1abb7e3016ee70a8b58bf7e8cb4c9 (diff)
download	voip-565c5b82e0494a5fb7e1239d69cf25a57e7af83a.tar.gz