summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMarco Nelissen <marcone@google.com>2017-02-06 14:12:30 -0800
committerSean McCreary <mccreary@mcwest.org>2017-04-05 18:47:00 -0600
commit0836dbb870ff45470e595ec921fd5fab6e07d1ce (patch)
tree7bbbda69750050dc67452183d1a018cace62c223
parentf2c6b991081806343e038a687c8d8f63a747abd7 (diff)
downloadframeworks_av-0836dbb870ff45470e595ec921fd5fab6e07d1ce.zip
frameworks_av-0836dbb870ff45470e595ec921fd5fab6e07d1ce.tar.gz
frameworks_av-0836dbb870ff45470e595ec921fd5fab6e07d1ce.tar.bz2
Fix overflow check and check read result
Bug: 33861560 Test: build AOSP-Change-Id: Ia85519766e19a6e37237166f309750b3e8323c4e CVE-2017-0547 (cherry picked from commit 9667e3eff2d34c3797c3b529370de47b2c1f1bf6) Change-Id: I171aa1c7c4a4a5095ac7041371db14e3a4f3676a
-rw-r--r--media/libmedia/IHDCP.cpp18
1 files changed, 10 insertions, 8 deletions
diff --git a/media/libmedia/IHDCP.cpp b/media/libmedia/IHDCP.cpp
index f3a8902..e8c8a3d 100644
--- a/media/libmedia/IHDCP.cpp
+++ b/media/libmedia/IHDCP.cpp
@@ -241,14 +241,11 @@ status_t BnHDCP::onTransact(
case HDCP_ENCRYPT:
{
size_t size = data.readInt32();
- size_t bufSize = 2 * size;
-
- // watch out for overflow
void *inData = NULL;
- if (bufSize > size) {
- inData = malloc(bufSize);
+ // watch out for overflow
+ if (size <= SIZE_MAX / 2) {
+ inData = malloc(2 * size);
}
-
if (inData == NULL) {
reply->writeInt32(ERROR_OUT_OF_RANGE);
return OK;
@@ -256,11 +253,16 @@ status_t BnHDCP::onTransact(
void *outData = (uint8_t *)inData + size;
- data.read(inData, size);
+ status_t err = data.read(inData, size);
+ if (err != OK) {
+ free(inData);
+ reply->writeInt32(err);
+ return OK;
+ }
uint32_t streamCTR = data.readInt32();
uint64_t inputCTR;
- status_t err = encrypt(inData, size, streamCTR, &inputCTR, outData);
+ err = encrypt(inData, size, streamCTR, &inputCTR, outData);
reply->writeInt32(err);