commit 7902138f2e36ebe7452437a8394619619b8a66a6
author Marco Nelissen <marcone@google.com> Mon Feb 13 21:43:31 2017 +0000
committer android-build-merger <android-build-merger@google.com> Mon Feb 13 21:43:31 2017 +0000
tree 9ae986d8ac0c8468ee26f523fce78be6ef46db20
parent f0009384d8fe38a08187f6d9fb0e4b37d0619a10
parent 86bd734f58e6c283b8d996770e6d7ae5e5dd6954

Merge "stagefright: parseApp check data boundary conditions" into klp-dev am: 65433ff04d
am: 86bd734f58

Change-Id: I3729ea0064642ac10292561d450565ee735af369

media/libstagefright/wifi-display/rtp/RTPSender.cpp

diff --git a/media/libstagefright/wifi-display/rtp/RTPSender.cpp b/media/libstagefright/wifi-display/rtp/RTPSender.cpp
index 1887b8b..5b7a09d 100644
--- a/media/libstagefright/wifi-display/rtp/RTPSender.cpp
+++ b/media/libstagefright/wifi-display/rtp/RTPSender.cpp
@@ -766,9 +766,15 @@
 }
 
 status_t RTPSender::parseAPP(const uint8_t *data, size_t size) {
-    if (!memcmp("late", &data[8], 4)) {
-        int64_t avgLatencyUs = (int64_t)U64_AT(&data[12]);
-        int64_t maxLatencyUs = (int64_t)U64_AT(&data[20]);
+    static const size_t late_offset = 8;
+    static const char late_string[] = "late";
+    static const size_t avgLatencyUs_offset = late_offset + sizeof(late_string) - 1;
+    static const size_t maxLatencyUs_offset = avgLatencyUs_offset + sizeof(int64_t);
+
+    if ((size >= (maxLatencyUs_offset + sizeof(int64_t)))
+            && !memcmp(late_string, &data[late_offset], sizeof(late_string) - 1)) {
+        int64_t avgLatencyUs = (int64_t)U64_AT(&data[avgLatencyUs_offset]);
+        int64_t maxLatencyUs = (int64_t)U64_AT(&data[maxLatencyUs_offset]);
 
         sp<AMessage> notify = mNotify->dup();
         notify->setInt32("what", kWhatInformSender);