RESTRICT AUTOMERGE
Fix Heap buffer overflow in clearkey releaseSecureStops
Security Vulnerability fix: Heap buffer overflow in clearkey
releaseSecureStops - android.hardware.drm@1.1-service.clearkey
Fix provided by researcher.
Test: CTS tests
android.media.cts.MediaDrmClearkeyTest#testSecureStop
android.media.cts.MediaDrmClearkeyTest
Test: run drmpoc
no signal 6 on clearkey service after the fix
Test: adb shell ps | grep clearkey
pid ID does not change after running drmpoc
bug: 137284652
Change-Id: Id085945943aa6b85c597dc8b7c32a3b990c54a2b
diff --git a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp
index d74bc53..0c74a6c 100644
--- a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp
+++ b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp
@@ -797,7 +797,8 @@
}
Return<Status> DrmPlugin::releaseSecureStops(const SecureStopRelease& ssRelease) {
- if (ssRelease.opaqueData.size() == 0) {
+ // minimum opaqueData contains the uint32_t count, see comment below
+ if (ssRelease.opaqueData.size() < sizeof(uint32_t)) {
return Status::BAD_VALUE;
}