diff options
author | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2017-05-02 19:21:00 +0200 |
---|---|---|
committer | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2017-05-02 19:21:00 +0200 |
commit | eca582052ef000897f69d6d0bdd96c7a8aa59cda (patch) | |
tree | 7472d8773c4bb9321fdd41d0aef057e30045e557 /media/libmedia | |
parent | 26718276fd99ef60d9646d79467d2bb3f2db5549 (diff) | |
parent | dc7805b0c79d056385a076422894425984af2aa0 (diff) | |
download | frameworks_av-eca582052ef000897f69d6d0bdd96c7a8aa59cda.zip frameworks_av-eca582052ef000897f69d6d0bdd96c7a8aa59cda.tar.gz frameworks_av-eca582052ef000897f69d6d0bdd96c7a8aa59cda.tar.bz2 |
Merge branch 'cm-13.0' of https://github.com/LineageOS/android_frameworks_av into replicant-6.0HEADreplicant-6.0-0001replicant-6.0
Diffstat (limited to 'media/libmedia')
-rw-r--r-- | media/libmedia/IEffect.cpp | 12 | ||||
-rw-r--r-- | media/libmedia/IHDCP.cpp | 18 |
2 files changed, 22 insertions, 8 deletions
diff --git a/media/libmedia/IEffect.cpp b/media/libmedia/IEffect.cpp index faf5795..af6d8de 100644 --- a/media/libmedia/IEffect.cpp +++ b/media/libmedia/IEffect.cpp @@ -25,6 +25,9 @@ namespace android { +// Maximum command/reply size expected +#define EFFECT_PARAM_SIZE_MAX 65536 + enum { ENABLE = IBinder::FIRST_CALL_TRANSACTION, DISABLE, @@ -156,6 +159,10 @@ status_t BnEffect::onTransact( uint32_t cmdSize = data.readInt32(); char *cmd = NULL; if (cmdSize) { + if (cmdSize > EFFECT_PARAM_SIZE_MAX) { + reply->writeInt32(NO_MEMORY); + return NO_ERROR; + } cmd = (char *)calloc(cmdSize, 1); if (cmd == NULL) { reply->writeInt32(NO_MEMORY); @@ -167,6 +174,11 @@ status_t BnEffect::onTransact( uint32_t replySz = replySize; char *resp = NULL; if (replySize) { + if (replySize > EFFECT_PARAM_SIZE_MAX) { + free(cmd); + reply->writeInt32(NO_MEMORY); + return NO_ERROR; + } resp = (char *)calloc(replySize, 1); if (resp == NULL) { free(cmd); diff --git a/media/libmedia/IHDCP.cpp b/media/libmedia/IHDCP.cpp index f3a8902..e8c8a3d 100644 --- a/media/libmedia/IHDCP.cpp +++ b/media/libmedia/IHDCP.cpp @@ -241,14 +241,11 @@ status_t BnHDCP::onTransact( case HDCP_ENCRYPT: { size_t size = data.readInt32(); - size_t bufSize = 2 * size; - - // watch out for overflow void *inData = NULL; - if (bufSize > size) { - inData = malloc(bufSize); + // watch out for overflow + if (size <= SIZE_MAX / 2) { + inData = malloc(2 * size); } - if (inData == NULL) { reply->writeInt32(ERROR_OUT_OF_RANGE); return OK; @@ -256,11 +253,16 @@ status_t BnHDCP::onTransact( void *outData = (uint8_t *)inData + size; - data.read(inData, size); + status_t err = data.read(inData, size); + if (err != OK) { + free(inData); + reply->writeInt32(err); + return OK; + } uint32_t streamCTR = data.readInt32(); uint64_t inputCTR; - status_t err = encrypt(inData, size, streamCTR, &inputCTR, outData); + err = encrypt(inData, size, streamCTR, &inputCTR, outData); reply->writeInt32(err); |