diff options
author | Edwin Wong <edwinwong@google.com> | 2019-11-27 10:46:17 -0800 |
---|---|---|
committer | Edwin Wong <edwinwong@google.com> | 2020-01-08 02:32:59 +0000 |
commit | fa237c4f76b7b9369d9c499bfdc81e5072ddde86 (patch) | |
tree | 602110097b4e474c12c38c6cc635f746219e42e1 | |
parent | 8f72d008d0c51da507fc3c447e68e02b9e2d8535 (diff) | |
download | frameworks_av-fa237c4f76b7b9369d9c499bfdc81e5072ddde86.tar.gz frameworks_av-fa237c4f76b7b9369d9c499bfdc81e5072ddde86.tar.bz2 frameworks_av-fa237c4f76b7b9369d9c499bfdc81e5072ddde86.zip |
[DO NOT MERGE] Fix heap buffer overflow for releaseSecureStops.
If the input SecureStopRelease size is less than sizeof(uint32_t)
in releaseSecureStops(), an out of bound read will occur.
bug: 144766455
bug: 144746235
bug: 147281068
Test: sts
ANDROID_BUILD_TOP= ./android-sts/tools/sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Poc19_11#testPocBug_144766455
Change-Id: Ieccdd86ad86966fbf1dde70d3b3fb73d6dd124a4
-rw-r--r-- | drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp index 71bb2185bd..aab475ed88 100644 --- a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp +++ b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp @@ -818,6 +818,12 @@ Return<Status> DrmPlugin::releaseSecureStops(const SecureStopRelease& ssRelease) // and the drm service. The clearkey implementation consists of: // count - number of secure stops // list of fixed length secure stops + size_t countBufferSize = sizeof(uint32_t); + if (input.size() < countBufferSize) { + // SafetyNet logging + android_errorWriteLog(0x534e4554, "144766455"); + return Status::BAD_VALUE; + } uint32_t count = 0; sscanf(reinterpret_cast<char*>(input.data()), "%04" PRIu32, &count); |