summaryrefslogtreecommitdiffstats
path: root/drm/common
diff options
context:
space:
mode:
authorJeff Tinker <jtinker@google.com>2015-09-14 13:55:23 -0700
committerJeff Tinker <jtinker@google.com>2015-09-14 13:55:23 -0700
commit09ed70fab1f1424971ccc105dcdf5be5ce2e2643 (patch)
tree7cba0792014f79748c0fcc7c950cb4d6cc963403 /drm/common
parent13ff64c2db84f4e7cac3396700e333b48c42c7ee (diff)
downloadframeworks_av-09ed70fab1f1424971ccc105dcdf5be5ce2e2643.zip
frameworks_av-09ed70fab1f1424971ccc105dcdf5be5ce2e2643.tar.gz
frameworks_av-09ed70fab1f1424971ccc105dcdf5be5ce2e2643.tar.bz2
Fix heap data leak vulnerability
bug: 23600291 Change-Id: I7979e9e25ada01c13775be8580d433a8b4ce4ffe
Diffstat (limited to 'drm/common')
-rw-r--r--drm/common/IDrmManagerService.cpp16
1 files changed, 10 insertions, 6 deletions
diff --git a/drm/common/IDrmManagerService.cpp b/drm/common/IDrmManagerService.cpp
index db41e0b..c235201 100644
--- a/drm/common/IDrmManagerService.cpp
+++ b/drm/common/IDrmManagerService.cpp
@@ -741,9 +741,11 @@ status_t BpDrmManagerService::decrypt(
const status_t status = reply.readInt32();
ALOGV("Return value of decrypt() is %d", status);
- const int size = reply.readInt32();
- (*decBuffer)->length = size;
- reply.read((void *)(*decBuffer)->data, size);
+ if (status == NO_ERROR) {
+ const int size = reply.readInt32();
+ (*decBuffer)->length = size;
+ reply.read((void *)(*decBuffer)->data, size);
+ }
return status;
}
@@ -1438,9 +1440,11 @@ status_t BnDrmManagerService::onTransact(
reply->writeInt32(status);
- const int size = decBuffer->length;
- reply->writeInt32(size);
- reply->write(decBuffer->data, size);
+ if (status == NO_ERROR) {
+ const int size = decBuffer->length;
+ reply->writeInt32(size);
+ reply->write(decBuffer->data, size);
+ }
clearDecryptHandle(&handle);
delete encBuffer; encBuffer = NULL;