commit fd233285616f31ebe339a413f24c0aa9891afedf
author Mark Salyzyn <salyzyn@google.com> Thu Jan 05 17:05:48 2017 +0000
committer android-build-merger <android-build-merger@google.com> Thu Jan 05 17:05:48 2017 +0000
tree bc0adf6f016b910b2fb645d9e36456f869b8229c
parent 8706043acc858d6191169912e40c7b7df7209c24
parent 657ea052843d98ca74150fa05ea678f651ec15bd

Merge "stagefright: parseApp check data boundary conditions" am: ea73e1aef0 am: 046ac31f1f
am: 657ea05284

Change-Id: I7cc3ec2563527e5b04cdf97d993e0fa8cc6f7c42

media/libstagefright/wifi-display/rtp/RTPSender.cpp

diff --git a/media/libstagefright/wifi-display/rtp/RTPSender.cpp b/media/libstagefright/wifi-display/rtp/RTPSender.cpp
index c66a898..83af393 100644
--- a/media/libstagefright/wifi-display/rtp/RTPSender.cpp
+++ b/media/libstagefright/wifi-display/rtp/RTPSender.cpp
@@ -762,10 +762,16 @@
     return OK;
 }
 
-status_t RTPSender::parseAPP(const uint8_t *data, size_t size __unused) {
-    if (!memcmp("late", &data[8], 4)) {
-        int64_t avgLatencyUs = (int64_t)U64_AT(&data[12]);
-        int64_t maxLatencyUs = (int64_t)U64_AT(&data[20]);
+status_t RTPSender::parseAPP(const uint8_t *data, size_t size) {
+    static const size_t late_offset = 8;
+    static const char late_string[] = "late";
+    static const size_t avgLatencyUs_offset = late_offset + sizeof(late_string) - 1;
+    static const size_t maxLatencyUs_offset = avgLatencyUs_offset + sizeof(int64_t);
+
+    if ((size >= (maxLatencyUs_offset + sizeof(int64_t)))
+            && !memcmp(late_string, &data[late_offset], sizeof(late_string) - 1)) {
+        int64_t avgLatencyUs = (int64_t)U64_AT(&data[avgLatencyUs_offset]);
+        int64_t maxLatencyUs = (int64_t)U64_AT(&data[maxLatencyUs_offset]);
 
         sp<AMessage> notify = mNotify->dup();
         notify->setInt32("what", kWhatInformSender);