Merge change 5804 into donut

* changes:
  Ensure that we never trigger ArrayIndexOutOfBoundsException by checking that the index is always < the array's length. Also ensures that the object's state is consistent. Should resolve a denial-of-service bug when handling malformed WAP pushes.

telephony/java/com/android/internal/telephony/WspTypeDecoder.java

@@ -187,22 +187,30 @@ public class WspTypeDecoder {
     }
 
     /**
-     * Decode the "Extension-media" type for WSP pdu
+    * Decode the "Extension-media" type for WSP PDU.
-     *
+    *
-     * @param startIndex The starting position of the "Extension-media" in this pdu
+    * @param startIndex The starting position of the "Extension-media" in this PDU.
-     *
+    *
-     * @return false when error(not a Extension-media) occur
+    * @return false on error, such as if there is no Extension-media at startIndex.
-     *         return value can be retrieved by getValueString() method
+    * Side-effects: updates stringValue (available with getValueString()), which will be
-     *         length of data in pdu can be retrieved by getValue32() method
+    * null on error. The length of the data in the PDU is available with getValue32(), 0
-     */
+    * on error.
+    */
     public boolean decodeExtensionMedia(int startIndex) {
         int index = startIndex;
-        while (wspData[index] != 0) {
+        dataLength = 0;
+        stringValue = null;
+        int length = wspData.length;
+        boolean rtrn = index < length;
+
+        while (index < length && wspData[index] != 0) {
             index++;
         }
+
         dataLength  = index - startIndex + 1;
         stringValue = new String(wspData, startIndex, dataLength - 1);
-        return true;
+
+        return rtrn;
     }
 
     /**