From 35250664455c9642cc14d3831b663880637a7d70 Mon Sep 17 00:00:00 2001
From: James Dong <jdong@google.com>
Date: Tue, 13 Mar 2012 19:20:55 -0700
Subject: Fixed a buffer overflow bug in DrmPassthruPlugin

Change-Id: I8df2a90409c9266a094a1a0904a5ff76ec483d16
---
 drm/libdrmframework/plugins/passthru/src/DrmPassthruPlugIn.cpp | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'drm')

diff --git a/drm/libdrmframework/plugins/passthru/src/DrmPassthruPlugIn.cpp b/drm/libdrmframework/plugins/passthru/src/DrmPassthruPlugIn.cpp
index 0ffc0a7..77db32c 100644
--- a/drm/libdrmframework/plugins/passthru/src/DrmPassthruPlugIn.cpp
+++ b/drm/libdrmframework/plugins/passthru/src/DrmPassthruPlugIn.cpp
@@ -279,8 +279,14 @@ status_t DrmPassthruPlugIn::onDecrypt(int uniqueId, DecryptHandle* decryptHandle
      * memory has to be allocated by the caller.
      */
     if (NULL != (*decBuffer) && 0 < (*decBuffer)->length) {
-        memcpy((*decBuffer)->data, encBuffer->data, encBuffer->length);
-        (*decBuffer)->length = encBuffer->length;
+        if ((*decBuffer)->length >= encBuffer->length) {
+            memcpy((*decBuffer)->data, encBuffer->data, encBuffer->length);
+            (*decBuffer)->length = encBuffer->length;
+        } else {
+            ALOGE("decBuffer size (%d) too small to hold %d bytes",
+                (*decBuffer)->length, encBuffer->length);
+            return DRM_ERROR_UNKNOWN;
+        }
     }
     return DRM_NO_ERROR;
 }
-- 
cgit v1.1