From dc7805b0c79d056385a076422894425984af2aa0 Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Mon, 13 Feb 2017 14:19:40 -0800 Subject: resolve merge conflicts of 79cf158c51 to mnc-dev AOSP-Change-Id: Ied32e83215e386c801c02991a0b2fa4baa25b643 CVE-2017-0558 (cherry picked from commit 50358a80b1724f6cf1bcdf003e1abf9cc141b122) Change-Id: Ic2e40c7d6aec8427444a1fd145726e490e994d08 --- media/libstagefright/wifi-display/rtp/RTPSender.cpp | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/media/libstagefright/wifi-display/rtp/RTPSender.cpp b/media/libstagefright/wifi-display/rtp/RTPSender.cpp index c66a898..83af393 100644 --- a/media/libstagefright/wifi-display/rtp/RTPSender.cpp +++ b/media/libstagefright/wifi-display/rtp/RTPSender.cpp @@ -762,10 +762,16 @@ status_t RTPSender::parseTSFB(const uint8_t *data, size_t size) { return OK; } -status_t RTPSender::parseAPP(const uint8_t *data, size_t size __unused) { - if (!memcmp("late", &data[8], 4)) { - int64_t avgLatencyUs = (int64_t)U64_AT(&data[12]); - int64_t maxLatencyUs = (int64_t)U64_AT(&data[20]); +status_t RTPSender::parseAPP(const uint8_t *data, size_t size) { + static const size_t late_offset = 8; + static const char late_string[] = "late"; + static const size_t avgLatencyUs_offset = late_offset + sizeof(late_string) - 1; + static const size_t maxLatencyUs_offset = avgLatencyUs_offset + sizeof(int64_t); + + if ((size >= (maxLatencyUs_offset + sizeof(int64_t))) + && !memcmp(late_string, &data[late_offset], sizeof(late_string) - 1)) { + int64_t avgLatencyUs = (int64_t)U64_AT(&data[avgLatencyUs_offset]); + int64_t maxLatencyUs = (int64_t)U64_AT(&data[maxLatencyUs_offset]); sp notify = mNotify->dup(); notify->setInt32("what", kWhatInformSender); -- cgit v1.1