diff options
author | Chong Zhang <chz@google.com> | 2015-04-28 03:18:37 +0000 |
---|---|---|
committer | Android (Google) Code Review <android-gerrit@google.com> | 2015-04-28 03:18:37 +0000 |
commit | dae24729d0b3ced8c4a7d7f9b631e852f564db4f (patch) | |
tree | c48bf229b8ec7862e0fd6cebf373562b230eddfa /media | |
parent | 4275065e89b121fd2f9bd4e0440577348d5ce663 (diff) | |
parent | 532cd7b86a5fdc7b9a30a45d8ae2d16ef7660a72 (diff) | |
download | frameworks_av-dae24729d0b3ced8c4a7d7f9b631e852f564db4f.zip frameworks_av-dae24729d0b3ced8c4a7d7f9b631e852f564db4f.tar.gz frameworks_av-dae24729d0b3ced8c4a7d7f9b631e852f564db4f.tar.bz2 |
Merge "HDCP: buffer over flow check" into mnc-dev
Diffstat (limited to 'media')
-rw-r--r-- | media/libmedia/IHDCP.cpp | 26 |
1 files changed, 24 insertions, 2 deletions
diff --git a/media/libmedia/IHDCP.cpp b/media/libmedia/IHDCP.cpp index 9122f75..79944ee 100644 --- a/media/libmedia/IHDCP.cpp +++ b/media/libmedia/IHDCP.cpp @@ -241,8 +241,19 @@ status_t BnHDCP::onTransact( case HDCP_ENCRYPT: { size_t size = data.readInt32(); + size_t bufSize = 2 * size; + + // watch out for overflow + void *inData = NULL; + if (bufSize > size) { + inData = malloc(bufSize); + } + + if (inData == NULL) { + reply->writeInt32(ERROR_OUT_OF_RANGE); + return OK; + } - void *inData = malloc(2 * size); void *outData = (uint8_t *)inData + size; data.read(inData, size); @@ -295,8 +306,19 @@ status_t BnHDCP::onTransact( case HDCP_DECRYPT: { size_t size = data.readInt32(); + size_t bufSize = 2 * size; + + // watch out for overflow + void *inData = NULL; + if (bufSize > size) { + inData = malloc(bufSize); + } + + if (inData == NULL) { + reply->writeInt32(ERROR_OUT_OF_RANGE); + return OK; + } - void *inData = malloc(2 * size); void *outData = (uint8_t *)inData + size; data.read(inData, size); |