Merge branch 'cm-13.0' of https://github.com/LineageOS/android_frameworks_av into replicant-6.0HEAD replicant-6.0-0001 replicant-6.0

author: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> 2017-05-02 19:21:00 +0200
committer: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> 2017-05-02 19:21:00 +0200
commit: eca582052ef000897f69d6d0bdd96c7a8aa59cda (patch)
tree: 7472d8773c4bb9321fdd41d0aef057e30045e557 /media/libmedia
parent: 26718276fd99ef60d9646d79467d2bb3f2db5549 (diff)
parent: dc7805b0c79d056385a076422894425984af2aa0 (diff)
download: frameworks_av-replicant-6.0.zip
frameworks_av-replicant-6.0.tar.gz
frameworks_av-replicant-6.0.tar.bz2
2 files changed, 22 insertions, 8 deletions
diff --git a/media/libmedia/IEffect.cpp b/media/libmedia/IEffect.cpp
index faf5795..af6d8de 100644
--- a/media/libmedia/IEffect.cpp
+++ b/media/libmedia/IEffect.cpp
@@ -25,6 +25,9 @@
 
 namespace android {
 
+// Maximum command/reply size expected
+#define EFFECT_PARAM_SIZE_MAX       65536
+
 enum {
     ENABLE = IBinder::FIRST_CALL_TRANSACTION,
     DISABLE,
@@ -156,6 +159,10 @@ status_t BnEffect::onTransact(
             uint32_t cmdSize = data.readInt32();
             char *cmd = NULL;
             if (cmdSize) {
+                if (cmdSize > EFFECT_PARAM_SIZE_MAX) {
+                    reply->writeInt32(NO_MEMORY);
+                    return NO_ERROR;
+                }
                 cmd = (char *)calloc(cmdSize, 1);
                 if (cmd == NULL) {
                     reply->writeInt32(NO_MEMORY);
@@ -167,6 +174,11 @@ status_t BnEffect::onTransact(
             uint32_t replySz = replySize;
             char *resp = NULL;
             if (replySize) {
+                if (replySize > EFFECT_PARAM_SIZE_MAX) {
+                    free(cmd);
+                    reply->writeInt32(NO_MEMORY);
+                    return NO_ERROR;
+                }
                 resp = (char *)calloc(replySize, 1);
                 if (resp == NULL) {
                     free(cmd);
diff --git a/media/libmedia/IHDCP.cpp b/media/libmedia/IHDCP.cpp
index f3a8902..e8c8a3d 100644
--- a/media/libmedia/IHDCP.cpp
+++ b/media/libmedia/IHDCP.cpp
@@ -241,14 +241,11 @@ status_t BnHDCP::onTransact(
         case HDCP_ENCRYPT:
         {
             size_t size = data.readInt32();
-            size_t bufSize = 2 * size;
-
-            // watch out for overflow
             void *inData = NULL;
-            if (bufSize > size) {
-                inData = malloc(bufSize);
+            // watch out for overflow
+            if (size <= SIZE_MAX / 2) {
+                inData = malloc(2 * size);
             }
-
             if (inData == NULL) {
                 reply->writeInt32(ERROR_OUT_OF_RANGE);
                 return OK;
@@ -256,11 +253,16 @@ status_t BnHDCP::onTransact(
 
             void *outData = (uint8_t *)inData + size;
 
-            data.read(inData, size);
+            status_t err = data.read(inData, size);
+            if (err != OK) {
+                free(inData);
+                reply->writeInt32(err);
+                return OK;
+            }
 
             uint32_t streamCTR = data.readInt32();
             uint64_t inputCTR;
-            status_t err = encrypt(inData, size, streamCTR, &inputCTR, outData);
+            err = encrypt(inData, size, streamCTR, &inputCTR, outData);
 
             reply->writeInt32(err);
author	Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>	2017-05-02 19:21:00 +0200
committer	Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>	2017-05-02 19:21:00 +0200
commit	eca582052ef000897f69d6d0bdd96c7a8aa59cda (patch)
tree	7472d8773c4bb9321fdd41d0aef057e30045e557 /media/libmedia
parent	26718276fd99ef60d9646d79467d2bb3f2db5549 (diff)
parent	dc7805b0c79d056385a076422894425984af2aa0 (diff)
download	frameworks_av-replicant-6.0.zip frameworks_av-replicant-6.0.tar.gz frameworks_av-replicant-6.0.tar.bz2