commit 3048485165ef692c77b30330054aaf299834fcba
author Jeff Tinker <jtinker@google.com> Fri Sep 02 18:18:39 2016 -0700
committer Jeff Tinker <jtinker@google.com> Mon Sep 19 19:52:38 2016 -0700
tree 4dd16699101068dd74412565a232452c2ea7d25a
parent 3b6c92f819442a56d72dc1764eb4fbc33a73ed7d

Avoid returning decrypted data over binder

Use shared memory instead

b/29514618

Change-Id: Iba82053f7c965c7bead816654827cbf94d3b2a9d

media/libmedia/ICrypto.cpp

diff --git a/media/libmedia/ICrypto.cpp b/media/libmedia/ICrypto.cpp
index 26dd2c9..a750824 100644
--- a/media/libmedia/ICrypto.cpp
+++ b/media/libmedia/ICrypto.cpp
@@ -150,10 +150,10 @@
 
         if (isCryptoError(result)) {
             errorDetailMsg->setTo(reply.readCString());
-        }
-
-        if (dstType == kDestinationTypeVmPointer && result >= 0) {
-            reply.read(dstPtr, result);
+        } else if (dstType == kDestinationTypeVmPointer) {
+            // For the non-secure case, copy the decrypted-in-place
+            // data from shared memory to its final destination
+            memcpy(dstPtr, sharedBuffer->pointer(), result);
         }
 
         return result;
@@ -320,7 +320,10 @@
                 dstPtr = secureBufferId;
             } else {
                 dstType = kDestinationTypeVmPointer;
-                dstPtr = malloc(totalSize);
+
+                // For the non-secure case, decrypt in-place back to the
+                // shared memory segment.
+                dstPtr = sharedBuffer->pointer();
             }
 
             AString errorDetailMsg;
@@ -366,14 +369,7 @@
                 reply->writeCString(errorDetailMsg.c_str());
             }
 
-            if (dstType == kDestinationTypeVmPointer) {
-                if (result >= 0) {
-                    CHECK_LE(result, static_cast<ssize_t>(totalSize));
-                    reply->write(dstPtr, result);
-                }
-                free(dstPtr);
-                dstPtr = NULL;
-            } else if (dstType == kDestinationTypeNativeHandle) {
+            if (dstType == kDestinationTypeNativeHandle) {
                 int err;
                 if ((err = native_handle_close(nativeHandle)) < 0) {
                     ALOGW("secure buffer native_handle_close failed: %d", err);