From 6067ac044bec6a422c7782973b8627a925fd0d8f Mon Sep 17 00:00:00 2001
From: Marco Nelissen <marcone@google.com>
Date: Wed, 19 Aug 2015 15:36:12 -0700
Subject: Check RTSP payload length

Bug: 23346388
Change-Id: Ifd918cefc90527c2f52177c3ce0da7a13259ad08
Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
---
 media/libstagefright/rtsp/AMPEG4AudioAssembler.cpp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/media/libstagefright/rtsp/AMPEG4AudioAssembler.cpp b/media/libstagefright/rtsp/AMPEG4AudioAssembler.cpp
index f9a44f0..0ff0650 100644
--- a/media/libstagefright/rtsp/AMPEG4AudioAssembler.cpp
+++ b/media/libstagefright/rtsp/AMPEG4AudioAssembler.cpp
@@ -406,8 +406,9 @@ sp<ABuffer> AMPEG4AudioAssembler::removeLATMFraming(const sp<ABuffer> &buffer) {
                 break;
             }
         }
-
-        CHECK_LE(offset + payloadLength, buffer->size());
+        
+        CHECK_LT(offset, buffer->size());
+        CHECK_LE(payloadLength, buffer->size() - offset);
 
         memcpy(out->data() + out->size(), &ptr[offset], payloadLength);
         out->setRange(0, out->size() + payloadLength);
-- 
cgit v1.1