From 0fef164d3d1f5c4e963b8142c6f9bee2ab1becc8 Mon Sep 17 00:00:00 2001
From: Paul McLean <pmclean@google.com>
Date: Mon, 16 Dec 2019 15:44:13 -0700
Subject: Add buffer size checks to eliminate security vulnerability.

Bug:140054506
Test: This will need to be tested by bferris@ as I don't have the
facilities to test this.

Change-Id: I5977e216bcaecd4ed10c0a991bed2860e6d627d9
Merged-In: I5977e216bcaecd4ed10c0a991bed2860e6d627d9
---
 src/jni/rtp/AudioGroup.cpp | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/jni/rtp/AudioGroup.cpp b/src/jni/rtp/AudioGroup.cpp
index aa3fc66..e01fbca 100644
--- a/src/jni/rtp/AudioGroup.cpp
+++ b/src/jni/rtp/AudioGroup.cpp
@@ -412,20 +412,29 @@ void AudioStream::decode(int tick)
         sockaddr_storage remote;
         socklen_t addrlen = sizeof(remote);
 
-        int length = recvfrom(mSocket, buffer, sizeof(buffer),
+        int bufferSize = sizeof(buffer);
+        int length = recvfrom(mSocket, buffer, bufferSize,
             MSG_TRUNC | MSG_DONTWAIT, (sockaddr *)&remote, &addrlen);
 
         // Do we need to check SSRC, sequence, and timestamp? They are not
         // reliable but at least they can be used to identify duplicates?
-        if (length < 12 || length > (int)sizeof(buffer) ||
+        if (length < 12 || length > bufferSize ||
             (ntohl(*(uint32_t *)buffer) & 0xC07F0000) != mCodecMagic) {
             ALOGV("stream[%d] malformed packet", mSocket);
             return;
         }
         int offset = 12 + ((buffer[0] & 0x0F) << 2);
+        if (offset+2 >= bufferSize) {
+            ALOGV("invalid buffer offset: %d", offset+2);
+            return;
+        }
         if ((buffer[0] & 0x10) != 0) {
             offset += 4 + (ntohs(*(uint16_t *)&buffer[offset + 2]) << 2);
         }
+        if (offset >= bufferSize) {
+            ALOGV("invalid buffer offset: %d", offset);
+            return;
+        }
         if ((buffer[0] & 0x20) != 0) {
             length -= buffer[length - 1];
         }
-- 
cgit v1.2.3