diff options
author | Kevin F. Haggerty <haggertk@lineageos.org> | 2020-04-06 22:20:00 -0600 |
---|---|---|
committer | Kevin F. Haggerty <haggertk@lineageos.org> | 2020-04-06 22:20:00 -0600 |
commit | bac69e690808c0290464e32dbb1e97cd5342e181 (patch) | |
tree | 0d2100a9f90a4f82d0a1464e06760d0b1d7da788 | |
parent | 92595d033186aa2b0307ac078d0d6aa62632d5ba (diff) | |
parent | 7f0714951555cf92df2fa3c85a0250be048948cb (diff) | |
download | frameworks_av-bac69e690808c0290464e32dbb1e97cd5342e181.tar.gz frameworks_av-bac69e690808c0290464e32dbb1e97cd5342e181.tar.bz2 frameworks_av-bac69e690808c0290464e32dbb1e97cd5342e181.zip |
Merge tag 'android-9.0.0_r55' of https://android.googlesource.com/platform/frameworks/av into staging/lineage-16.0_merge-android-9.0.0_r55
Android 9.0.0 Release 55 (6197209)
* tag 'android-9.0.0_r55' of https://android.googlesource.com/platform/frameworks/av:
[DO NOT MERGE] Fix heap buffer overflow in clearkey CryptoPlugin::decrypt
[DO NOT MERGE] Fix heap buffer overflow for releaseSecureStops.
Change-Id: I8bd1faa78e1ec46aa9e7e008066c3f60de5980b3
-rw-r--r-- | drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp | 2 | ||||
-rw-r--r-- | drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp | 5 |
2 files changed, 7 insertions, 0 deletions
diff --git a/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp b/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp index 198e0997d0..cd2224db97 100644 --- a/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp +++ b/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp @@ -106,6 +106,8 @@ Return<void> CryptoPlugin::decrypt( return Void(); } + base = static_cast<uint8_t *>(static_cast<void *>(destBase->getPointer())); + if (destBuffer.offset + destBuffer.size > destBase->getSize()) { _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size"); return Void(); diff --git a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp index d51e29dc57..30f745913a 100644 --- a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp +++ b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp @@ -531,6 +531,11 @@ Return<Status> DrmPlugin::releaseSecureStops(const SecureStopRelease& ssRelease) // count - number of secure stops // list of fixed length secure stops size_t countBufferSize = sizeof(uint32_t); + if (input.size() < countBufferSize) { + // SafetyNet logging + android_errorWriteLog(0x534e4554, "144766455"); + return Status::BAD_VALUE; + } uint32_t count = 0; sscanf(reinterpret_cast<char*>(input.data()), "%04" PRIu32, &count); |