diff options
author | Marco Nelissen <marcone@google.com> | 2017-02-06 14:12:30 -0800 |
---|---|---|
committer | Sean McCreary <mccreary@mcwest.org> | 2017-04-05 18:47:00 -0600 |
commit | 0836dbb870ff45470e595ec921fd5fab6e07d1ce (patch) | |
tree | 7bbbda69750050dc67452183d1a018cace62c223 /media/libmedia | |
parent | f2c6b991081806343e038a687c8d8f63a747abd7 (diff) | |
download | frameworks_av-0836dbb870ff45470e595ec921fd5fab6e07d1ce.zip frameworks_av-0836dbb870ff45470e595ec921fd5fab6e07d1ce.tar.gz frameworks_av-0836dbb870ff45470e595ec921fd5fab6e07d1ce.tar.bz2 |
Fix overflow check and check read result
Bug: 33861560
Test: build
AOSP-Change-Id: Ia85519766e19a6e37237166f309750b3e8323c4e
CVE-2017-0547
(cherry picked from commit 9667e3eff2d34c3797c3b529370de47b2c1f1bf6)
Change-Id: I171aa1c7c4a4a5095ac7041371db14e3a4f3676a
Diffstat (limited to 'media/libmedia')
-rw-r--r-- | media/libmedia/IHDCP.cpp | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/media/libmedia/IHDCP.cpp b/media/libmedia/IHDCP.cpp index f3a8902..e8c8a3d 100644 --- a/media/libmedia/IHDCP.cpp +++ b/media/libmedia/IHDCP.cpp @@ -241,14 +241,11 @@ status_t BnHDCP::onTransact( case HDCP_ENCRYPT: { size_t size = data.readInt32(); - size_t bufSize = 2 * size; - - // watch out for overflow void *inData = NULL; - if (bufSize > size) { - inData = malloc(bufSize); + // watch out for overflow + if (size <= SIZE_MAX / 2) { + inData = malloc(2 * size); } - if (inData == NULL) { reply->writeInt32(ERROR_OUT_OF_RANGE); return OK; @@ -256,11 +253,16 @@ status_t BnHDCP::onTransact( void *outData = (uint8_t *)inData + size; - data.read(inData, size); + status_t err = data.read(inData, size); + if (err != OK) { + free(inData); + reply->writeInt32(err); + return OK; + } uint32_t streamCTR = data.readInt32(); uint64_t inputCTR; - status_t err = encrypt(inData, size, streamCTR, &inputCTR, outData); + err = encrypt(inData, size, streamCTR, &inputCTR, outData); reply->writeInt32(err); |