Merge tag 'android-9.0.0_r55' of https://android.googlesource.com/platform/frameworks/av into staging/lineage-16.0_merge-android-9.0.0_r55

Android 9.0.0 Release 55 (6197209)

* tag 'android-9.0.0_r55' of https://android.googlesource.com/platform/frameworks/av:
  [DO NOT MERGE] Fix heap buffer overflow in clearkey CryptoPlugin::decrypt
  [DO NOT MERGE] Fix heap buffer overflow for releaseSecureStops.

Change-Id: I8bd1faa78e1ec46aa9e7e008066c3f60de5980b3

2 files changed, 7 insertions, 0 deletions

diff --git a/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp b/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp
index 198e0997d0..cd2224db97 100644
--- a/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp
+++ b/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp
@@ -106,6 +106,8 @@ Return<void> CryptoPlugin::decrypt(
         return Void();
     }
 
+    base = static_cast<uint8_t *>(static_cast<void *>(destBase->getPointer()));
+
     if (destBuffer.offset + destBuffer.size > destBase->getSize()) {
         _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size");
         return Void();
diff --git a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp
index d51e29dc57..30f745913a 100644
--- a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp
+++ b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp
@@ -531,6 +531,11 @@ Return<Status> DrmPlugin::releaseSecureStops(const SecureStopRelease& ssRelease)
     //    count - number of secure stops
     //    list of fixed length secure stops
     size_t countBufferSize = sizeof(uint32_t);
+    if (input.size() < countBufferSize) {
+        // SafetyNet logging
+        android_errorWriteLog(0x534e4554, "144766455");
+        return Status::BAD_VALUE;
+    }
     uint32_t count = 0;
     sscanf(reinterpret_cast<char*>(input.data()), "%04" PRIu32, &count);