diff options
author | Chong Zhang <chz@google.com> | 2015-05-14 23:17:08 +0000 |
---|---|---|
committer | Android Git Automerger <android-git-automerger@android.com> | 2015-05-14 23:17:08 +0000 |
commit | 96a41a2ba5985aeb9163923f54d84cdaa3d0363d (patch) | |
tree | f0ef2332a613beac9eb6d78ea168ffea6487ff6a /media/libmedia | |
parent | a3e8f60f5e409f65f12636df5fad7f20ff736df5 (diff) | |
parent | dbe6c320b414d8139c46aaf880d5f154ef4f9af8 (diff) | |
download | frameworks_av-96a41a2ba5985aeb9163923f54d84cdaa3d0363d.zip frameworks_av-96a41a2ba5985aeb9163923f54d84cdaa3d0363d.tar.gz frameworks_av-96a41a2ba5985aeb9163923f54d84cdaa3d0363d.tar.bz2 |
am dbe6c320: HDCP: buffer over flow check -- DO NOT MERGE
* commit 'dbe6c320b414d8139c46aaf880d5f154ef4f9af8':
HDCP: buffer over flow check -- DO NOT MERGE
Diffstat (limited to 'media/libmedia')
-rw-r--r-- | media/libmedia/IHDCP.cpp | 26 |
1 files changed, 24 insertions, 2 deletions
diff --git a/media/libmedia/IHDCP.cpp b/media/libmedia/IHDCP.cpp index 1cf987a..9d93320 100644 --- a/media/libmedia/IHDCP.cpp +++ b/media/libmedia/IHDCP.cpp @@ -241,8 +241,19 @@ status_t BnHDCP::onTransact( case HDCP_ENCRYPT: { size_t size = data.readInt32(); + size_t bufSize = 2 * size; + + // watch out for overflow + void *inData = NULL; + if (bufSize > size) { + inData = malloc(bufSize); + } + + if (inData == NULL) { + reply->writeInt32(ERROR_OUT_OF_RANGE); + return OK; + } - void *inData = malloc(2 * size); void *outData = (uint8_t *)inData + size; data.read(inData, size); @@ -295,8 +306,19 @@ status_t BnHDCP::onTransact( case HDCP_DECRYPT: { size_t size = data.readInt32(); + size_t bufSize = 2 * size; + + // watch out for overflow + void *inData = NULL; + if (bufSize > size) { + inData = malloc(bufSize); + } + + if (inData == NULL) { + reply->writeInt32(ERROR_OUT_OF_RANGE); + return OK; + } - void *inData = malloc(2 * size); void *outData = (uint8_t *)inData + size; data.read(inData, size); |