diff options
| author | Jeff Tinker <jtinker@google.com> | 2015-09-14 13:55:23 -0700 |
|---|---|---|
| committer | The Android Automerger <android-build@google.com> | 2015-09-28 17:08:18 -0700 |
| commit | 663bd4e902dda994da4f149de9851219e6b923a6 (patch) | |
| tree | b26df2f2c3a91739707b7c5d5e7900bd9ca7a1ce /drm | |
| parent | 8f0b2247ae9f9bcbc4cec6fa57e0c285b14e549f (diff) | |
| download | frameworks_av-663bd4e902dda994da4f149de9851219e6b923a6.zip frameworks_av-663bd4e902dda994da4f149de9851219e6b923a6.tar.gz frameworks_av-663bd4e902dda994da4f149de9851219e6b923a6.tar.bz2 | |
Fix heap data leak vulnerability
bug: 23600291
Change-Id: I7979e9e25ada01c13775be8580d433a8b4ce4ffe
Diffstat (limited to 'drm')
| -rw-r--r-- | drm/common/IDrmManagerService.cpp | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/drm/common/IDrmManagerService.cpp b/drm/common/IDrmManagerService.cpp index b90da1b..f2e14b6 100644 --- a/drm/common/IDrmManagerService.cpp +++ b/drm/common/IDrmManagerService.cpp @@ -742,9 +742,11 @@ status_t BpDrmManagerService::decrypt( const status_t status = reply.readInt32(); ALOGV("Return value of decrypt() is %d", status); - const int size = reply.readInt32(); - (*decBuffer)->length = size; - reply.read((void *)(*decBuffer)->data, size); + if (status == NO_ERROR) { + const int size = reply.readInt32(); + (*decBuffer)->length = size; + reply.read((void *)(*decBuffer)->data, size); + } return status; } @@ -1470,9 +1472,11 @@ status_t BnDrmManagerService::onTransact( reply->writeInt32(status); - const int size = decBuffer->length; - reply->writeInt32(size); - reply->write(decBuffer->data, size); + if (status == NO_ERROR) { + const int size = decBuffer->length; + reply->writeInt32(size); + reply->write(decBuffer->data, size); + } clearDecryptHandle(&handle); delete encBuffer; encBuffer = NULL; |