From 09ed70fab1f1424971ccc105dcdf5be5ce2e2643 Mon Sep 17 00:00:00 2001 From: Jeff Tinker Date: Mon, 14 Sep 2015 13:55:23 -0700 Subject: Fix heap data leak vulnerability bug: 23600291 Change-Id: I7979e9e25ada01c13775be8580d433a8b4ce4ffe --- drm/common/IDrmManagerService.cpp | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) (limited to 'drm/common') diff --git a/drm/common/IDrmManagerService.cpp b/drm/common/IDrmManagerService.cpp index db41e0b..c235201 100644 --- a/drm/common/IDrmManagerService.cpp +++ b/drm/common/IDrmManagerService.cpp @@ -741,9 +741,11 @@ status_t BpDrmManagerService::decrypt( const status_t status = reply.readInt32(); ALOGV("Return value of decrypt() is %d", status); - const int size = reply.readInt32(); - (*decBuffer)->length = size; - reply.read((void *)(*decBuffer)->data, size); + if (status == NO_ERROR) { + const int size = reply.readInt32(); + (*decBuffer)->length = size; + reply.read((void *)(*decBuffer)->data, size); + } return status; } @@ -1438,9 +1440,11 @@ status_t BnDrmManagerService::onTransact( reply->writeInt32(status); - const int size = decBuffer->length; - reply->writeInt32(size); - reply->write(decBuffer->data, size); + if (status == NO_ERROR) { + const int size = decBuffer->length; + reply->writeInt32(size); + reply->write(decBuffer->data, size); + } clearDecryptHandle(&handle); delete encBuffer; encBuffer = NULL; -- cgit v1.1