Fix information disclosure in mediadrmserver

Test:poc provided in bug bug:62872384 Change-Id: I3d104a2a64a0cb81e9fd5b04c4def1fbee64da2d CVE-2017-13152
author: Jeff Tinker <jtinker@google.com> 2017-10-09 11:52:18 -0700
committer: Ivan Kutepov <its.kutepov@gmail.com> 2017-12-09 19:01:57 +0300
commit: 3f7ccca648e855bd4decc6f8272559717f3d1295 (patch)
tree: afe0595a1680c7600f9d8757066ad1c758ebf4eb
parent: 6a3ab746c5365737f0cfec231d10131d680c40f7 (diff)
download: frameworks_av-3f7ccca648e855bd4decc6f8272559717f3d1295.tar.gz
frameworks_av-3f7ccca648e855bd4decc6f8272559717f3d1295.tar.bz2
frameworks_av-3f7ccca648e855bd4decc6f8272559717f3d1295.zip
1 files changed, 7 insertions, 2 deletions
diff --git a/media/libmedia/IDrm.cpp b/media/libmedia/IDrm.cpp
index 6f6530bfe2..637770ddb5 100644
--- a/media/libmedia/IDrm.cpp
+++ b/media/libmedia/IDrm.cpp
@@ -572,8 +572,13 @@ IMPLEMENT_META_INTERFACE(Drm, "android.drm.IDrm");
 
 void BnDrm::readVector(const Parcel &data, Vector<uint8_t> &vector) const {
     uint32_t size = data.readInt32();
-    vector.insertAt((size_t)0, size);
-    data.read(vector.editArray(), size);
+    if (vector.insertAt((size_t)0, size) < 0) {
+        vector.clear();
+    }
+    if (data.read(vector.editArray(), size) != NO_ERROR) {
+        vector.clear();
+        android_errorWriteWithInfoLog(0x534e4554, "62872384", -1, NULL, 0);
+    }
 }
 
 void BnDrm::writeVector(Parcel *reply, Vector<uint8_t> const &vector) const {
author	Jeff Tinker <jtinker@google.com>	2017-10-09 11:52:18 -0700
committer	Ivan Kutepov <its.kutepov@gmail.com>	2017-12-09 19:01:57 +0300
commit	3f7ccca648e855bd4decc6f8272559717f3d1295 (patch)
tree	afe0595a1680c7600f9d8757066ad1c758ebf4eb
parent	6a3ab746c5365737f0cfec231d10131d680c40f7 (diff)
download	frameworks_av-3f7ccca648e855bd4decc6f8272559717f3d1295.tar.gz frameworks_av-3f7ccca648e855bd4decc6f8272559717f3d1295.tar.bz2 frameworks_av-3f7ccca648e855bd4decc6f8272559717f3d1295.zip