RESTRICT AUTOMERGE Fix Heap buffer overflow in clearkey releaseSecureStops Security Vulnerability fix: Heap buffer overflow in clearkey releaseSecureStops - android.hardware.drm@1.1-service.clearkey Fix provided by researcher. Test: CTS tests android.media.cts.MediaDrmClearkeyTest#testSecureStop android.media.cts.MediaDrmClearkeyTest Test: run drmpoc no signal 6 on clearkey service after the fix Test: adb shell ps | grep clearkey pid ID does not change after running drmpoc bug: 137284652 Change-Id: Id085945943aa6b85c597dc8b7c32a3b990c54a2b

commit: 3ae43b0ae940eb860fe03a4db6a17fefa155807a [log] [tgz]
author: Edwin Wong <edwinwong@google.com> Mon Sep 23 13:27:11 2019 -0700
committer: Sterling Huber <hubers@google.com> Thu Dec 19 22:09:09 2019 +0000
tree: 12dd2c6f200e2b03742fc065f297146419e0a89b
parent: 9ed54cdf4d8970bdeb88e4488dabb56e1d6c79b7 [diff]
diff --git a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp
index d74bc53..0c74a6c 100644
--- a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp
+++ b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp

@@ -797,7 +797,8 @@
 }
 
 Return<Status> DrmPlugin::releaseSecureStops(const SecureStopRelease& ssRelease) {
-    if (ssRelease.opaqueData.size() == 0) {
+    // minimum opaqueData contains the uint32_t count, see comment below
+    if (ssRelease.opaqueData.size() < sizeof(uint32_t)) {
         return Status::BAD_VALUE;
     }
commit	3ae43b0ae940eb860fe03a4db6a17fefa155807a	[log] [tgz]
author	Edwin Wong <edwinwong@google.com>	Mon Sep 23 13:27:11 2019 -0700
committer	Sterling Huber <hubers@google.com>	Thu Dec 19 22:09:09 2019 +0000
tree	12dd2c6f200e2b03742fc065f297146419e0a89b
parent	9ed54cdf4d8970bdeb88e4488dabb56e1d6c79b7 [diff]