diff options
-rw-r--r-- | src/jni/rtp/Android.bp | 4 | ||||
-rw-r--r-- | src/jni/rtp/AudioGroup.cpp | 24 |
2 files changed, 13 insertions, 15 deletions
diff --git a/src/jni/rtp/Android.bp b/src/jni/rtp/Android.bp index 325d6b9..ed0117c 100644 --- a/src/jni/rtp/Android.bp +++ b/src/jni/rtp/Android.bp @@ -36,7 +36,6 @@ cc_library_shared { ], shared_libs: [ - "framework-permission-aidl-cpp", "libandroid_runtime", "libaudioclient", "libaudiofoundation", @@ -44,12 +43,13 @@ cc_library_shared { "libcutils", "liblog", "libnativehelper", + "libpermission", "libstagefright_amrnb_common", "libutils", ], static_libs: [ "libgsm", - "framework-permission-aidl-cpp", + "libpermission", "libstagefright_amrnbdec", "libstagefright_amrnbenc", ], diff --git a/src/jni/rtp/AudioGroup.cpp b/src/jni/rtp/AudioGroup.cpp index e92e799..eb3b18f 100644 --- a/src/jni/rtp/AudioGroup.cpp +++ b/src/jni/rtp/AudioGroup.cpp @@ -426,17 +426,15 @@ void AudioStream::decode(int tick) return; } int offset = 12 + ((buffer[0] & 0x0F) << 2); - if (offset+2 >= bufferSize) { + // length is guaranteed to be <= buffersize, so it is safe with respect + // buffer overflow testing as well as offset into uninitialized buffer + if (offset + 2 + (int)sizeof(uint16_t) > length) { ALOGV("invalid buffer offset: %d", offset+2); return; } if ((buffer[0] & 0x10) != 0) { offset += 4 + (ntohs(*(uint16_t *)&buffer[offset + 2]) << 2); } - if (offset >= bufferSize) { - ALOGV("invalid buffer offset: %d", offset); - return; - } if ((buffer[0] & 0x20) != 0) { length -= buffer[length - 1]; } @@ -828,13 +826,13 @@ bool AudioGroup::DeviceThread::threadLoop() track->setCallerName("rtp"); record->setCallerName("rtp"); if (track->set(AUDIO_STREAM_VOICE_CALL, sampleRate, AUDIO_FORMAT_PCM_16_BIT, - AUDIO_CHANNEL_OUT_MONO, output, AUDIO_OUTPUT_FLAG_NONE, NULL /*callback_t*/, - NULL /*user*/, 0 /*notificationFrames*/, 0 /*sharedBuffer*/, + AUDIO_CHANNEL_OUT_MONO, output, AUDIO_OUTPUT_FLAG_NONE, nullptr /*callback*/, + 0 /*notificationFrames*/, 0 /*sharedBuffer*/, false /*threadCanCallJava*/, AUDIO_SESSION_ALLOCATE, AudioTrack::TRANSFER_OBTAIN) != NO_ERROR || record->set(AUDIO_SOURCE_VOICE_COMMUNICATION, sampleRate, AUDIO_FORMAT_PCM_16_BIT, - AUDIO_CHANNEL_IN_MONO, input, NULL /*callback_t*/, NULL /*user*/, - 0 /*notificationFrames*/, false /*threadCanCallJava*/, AUDIO_SESSION_ALLOCATE, + AUDIO_CHANNEL_IN_MONO, input, nullptr /*callback*/, 0 /*notificationFrames*/, + false /*threadCanCallJava*/, AUDIO_SESSION_ALLOCATE, AudioRecord::TRANSFER_OBTAIN) != NO_ERROR) { ALOGE("cannot initialize audio device"); return false; @@ -905,8 +903,8 @@ bool AudioGroup::DeviceThread::threadLoop() status_t status = track->obtainBuffer(&buffer, 1); if (status == NO_ERROR) { int offset = sampleCount - toWrite; - memcpy(buffer.i8, &output[offset], buffer.size); - toWrite -= buffer.frameCount; + memcpy(buffer.data(), &output[offset], buffer.size()); + toWrite -= buffer.getFrameCount(); track->releaseBuffer(&buffer); } else if (status != TIMED_OUT && status != WOULD_BLOCK) { ALOGE("cannot write to AudioTrack"); @@ -921,8 +919,8 @@ bool AudioGroup::DeviceThread::threadLoop() status_t status = record->obtainBuffer(&buffer, 1); if (status == NO_ERROR) { int offset = sampleCount - toRead; - memcpy(&input[offset], buffer.i8, buffer.size); - toRead -= buffer.frameCount; + memcpy(&input[offset], buffer.data(), buffer.size()); + toRead -= buffer.getFrameCount(); record->releaseBuffer(&buffer); } else if (status != TIMED_OUT && status != WOULD_BLOCK) { ALOGE("cannot read from AudioRecord"); |