commit 917033735e2f55e76e93b17a37fda2cab72f381b
author Marco Nelissen <marcone@google.com> Mon Feb 13 23:08:44 2017 +0000
committer android-build-merger <android-build-merger@google.com> Mon Feb 13 23:08:44 2017 +0000
tree 543f981a3664ea744f6ad7a4a6fb90616161b9ae
parent 50358a80b1724f6cf1bcdf003e1abf9cc141b122
parent 497f2ccce4a76ca5dc7212a908e00b1e240222e7

Merge "Fix overflow check and check read result" into klp-dev am: b6aa3901ce am: e541fa1764 am: 7f3980c0ca am: ea2023406b am: 3fc94bc146
am: 497f2ccce4

Change-Id: I2df07a6aa02a7c56a47c777e0eacbc6d560055de

media/libmedia/IHDCP.cpp

diff --git a/media/libmedia/IHDCP.cpp b/media/libmedia/IHDCP.cpp
index f3a8902..e8c8a3d 100644
--- a/media/libmedia/IHDCP.cpp
+++ b/media/libmedia/IHDCP.cpp
@@ -241,14 +241,11 @@
         case HDCP_ENCRYPT:
         {
             size_t size = data.readInt32();
-            size_t bufSize = 2 * size;
-
-            // watch out for overflow
             void *inData = NULL;
-            if (bufSize > size) {
-                inData = malloc(bufSize);
+            // watch out for overflow
+            if (size <= SIZE_MAX / 2) {
+                inData = malloc(2 * size);
             }
-
             if (inData == NULL) {
                 reply->writeInt32(ERROR_OUT_OF_RANGE);
                 return OK;
@@ -256,11 +253,16 @@
 
             void *outData = (uint8_t *)inData + size;
 
-            data.read(inData, size);
+            status_t err = data.read(inData, size);
+            if (err != OK) {
+                free(inData);
+                reply->writeInt32(err);
+                return OK;
+            }
 
             uint32_t streamCTR = data.readInt32();
             uint64_t inputCTR;
-            status_t err = encrypt(inData, size, streamCTR, &inputCTR, outData);
+            err = encrypt(inData, size, streamCTR, &inputCTR, outData);
 
             reply->writeInt32(err);