[DO NOT MERGE] Fix heap buffer overflow for releaseSecureStops. am: fa237c4f76 Change-Id: If5a392a28c53986f4c1bf69004b1bb83186382f0

commit: c1e8596b5d8a04d205f7fe0074318ae58903599c [log] [tgz]
author: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Thu Jan 23 00:14:18 2020 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Thu Jan 23 00:14:18 2020 +0000
tree: 2ff17924d3d0c21a7bd0422bae51c42e8ed6344d
parent: ccf05385f9c9f81a7ba67f645bd845dd79cf33c0 [diff]
parent: fa237c4f76b7b9369d9c499bfdc81e5072ddde86 [diff]
diff --git a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp
index 71bb218..aab475e 100644
--- a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp
+++ b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp

@@ -818,6 +818,12 @@
     // and the drm service. The clearkey implementation consists of:
     //    count - number of secure stops
     //    list of fixed length secure stops
+    size_t countBufferSize = sizeof(uint32_t);
+    if (input.size() < countBufferSize) {
+        // SafetyNet logging
+        android_errorWriteLog(0x534e4554, "144766455");
+        return Status::BAD_VALUE;
+    }
     uint32_t count = 0;
     sscanf(reinterpret_cast<char*>(input.data()), "%04" PRIu32, &count);
commit	c1e8596b5d8a04d205f7fe0074318ae58903599c	[log] [tgz]
author	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	Thu Jan 23 00:14:18 2020 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	Thu Jan 23 00:14:18 2020 +0000
tree	2ff17924d3d0c21a7bd0422bae51c42e8ed6344d
parent	ccf05385f9c9f81a7ba67f645bd845dd79cf33c0 [diff]
parent	fa237c4f76b7b9369d9c499bfdc81e5072ddde86 [diff]