Merge "[DO NOT MERGE] Fix heap buffer overflow in clearkey CryptoPlugin::decrypt" into pi-dev

commit: d651cdcfafd48df0ae0f50f83eb85a35ee5ab0cb [log] [tgz]
author: Edwin Wong <edwinwong@google.com> Thu Jan 23 20:59:59 2020 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> Thu Jan 23 20:59:59 2020 +0000
tree: 2926078ecc63d88d598b6e1541c9a267dbdf6596
parent: 2587ab6c7642062ea1791de1868c28b1164a073c [diff]
parent: dc4c427b2155a9928a7cdaac7c0a787dd9c8192d [diff]
diff --git a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp
index d51e29d..30f7459 100644
--- a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp
+++ b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp

@@ -531,6 +531,11 @@
     //    count - number of secure stops
     //    list of fixed length secure stops
     size_t countBufferSize = sizeof(uint32_t);
+    if (input.size() < countBufferSize) {
+        // SafetyNet logging
+        android_errorWriteLog(0x534e4554, "144766455");
+        return Status::BAD_VALUE;
+    }
     uint32_t count = 0;
     sscanf(reinterpret_cast<char*>(input.data()), "%04" PRIu32, &count);
commit	d651cdcfafd48df0ae0f50f83eb85a35ee5ab0cb	[log] [tgz]
author	Edwin Wong <edwinwong@google.com>	Thu Jan 23 20:59:59 2020 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	Thu Jan 23 20:59:59 2020 +0000
tree	2926078ecc63d88d598b6e1541c9a267dbdf6596
parent	2587ab6c7642062ea1791de1868c28b1164a073c [diff]
parent	dc4c427b2155a9928a7cdaac7c0a787dd9c8192d [diff]