diff options
| author | Edwin Wong <edwinwong@google.com> | 2019-11-26 14:40:45 -0800 |
|---|---|---|
| committer | Anis Assi <anisassi@google.com> | 2020-02-06 15:18:05 -0800 |
| commit | f0364ba28c822fb21322a8ac6cd7a2af3a5d2ec2 (patch) | |
| tree | bd44d2226761645428a4472a8bb62ce363e472f8 | |
| parent | e79a0716216edade8100dd4d6b05a69e80ce25ed (diff) | |
| download | frameworks_av-f0364ba28c822fb21322a8ac6cd7a2af3a5d2ec2.tar.gz frameworks_av-f0364ba28c822fb21322a8ac6cd7a2af3a5d2ec2.tar.bz2 frameworks_av-f0364ba28c822fb21322a8ac6cd7a2af3a5d2ec2.zip | |
[DO NOT MERGE] Fix heap buffer overflow for releaseSecureStops.
If the input SecureStopRelease size is less than sizeof(uint32_t)
in releaseSecureStops(), an out of bound read will occur.
bug: 144766455
bug: 144746235
bug: 147281068
Test: sts
ANDROID_BUILD_TOP= ./android-sts/tools/sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Poc19_11#testPocBug_144766455
Change-Id: I050504c1ef4e5c41fb47ee97e98db41399288a91
(cherry picked from commit 2587ab6c7642062ea1791de1868c28b1164a073c)
| -rw-r--r-- | drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp index d51e29dc57..30f745913a 100644 --- a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp +++ b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp @@ -531,6 +531,11 @@ Return<Status> DrmPlugin::releaseSecureStops(const SecureStopRelease& ssRelease) // count - number of secure stops // list of fixed length secure stops size_t countBufferSize = sizeof(uint32_t); + if (input.size() < countBufferSize) { + // SafetyNet logging + android_errorWriteLog(0x534e4554, "144766455"); + return Status::BAD_VALUE; + } uint32_t count = 0; sscanf(reinterpret_cast<char*>(input.data()), "%04" PRIu32, &count); |