Fix heap data leak vulnerability bug: 23600291 Change-Id: I7979e9e25ada01c13775be8580d433a8b4ce4ffe

commit: 9f5b6184a541461573163520d7f31f0bf943d9fc [log] [tgz]
author: Jeff Tinker <jtinker@google.com> Mon Sep 14 13:55:23 2015 -0700
committer: The Android Automerger <android-build@android.com> Wed Oct 21 12:08:20 2015 -0700
tree: 7689a4773b8fbf524ce2da858de8a12ed86e521d
parent: 24d59feb83a2b0e2141ed68982a9854a2095ab3e [diff]
diff --git a/drm/common/IDrmManagerService.cpp b/drm/common/IDrmManagerService.cpp
index db41e0b..c235201 100644
--- a/drm/common/IDrmManagerService.cpp
+++ b/drm/common/IDrmManagerService.cpp

@@ -741,9 +741,11 @@
     const status_t status = reply.readInt32();
     ALOGV("Return value of decrypt() is %d", status);
 
-    const int size = reply.readInt32();
-    (*decBuffer)->length = size;
-    reply.read((void *)(*decBuffer)->data, size);
+    if (status == NO_ERROR) {
+        const int size = reply.readInt32();
+        (*decBuffer)->length = size;
+        reply.read((void *)(*decBuffer)->data, size);
+    }
 
     return status;
 }
@@ -1438,9 +1440,11 @@
 
         reply->writeInt32(status);
 
-        const int size = decBuffer->length;
-        reply->writeInt32(size);
-        reply->write(decBuffer->data, size);
+        if (status == NO_ERROR) {
+            const int size = decBuffer->length;
+            reply->writeInt32(size);
+            reply->write(decBuffer->data, size);
+        }
 
         clearDecryptHandle(&handle);
         delete encBuffer; encBuffer = NULL;
commit	9f5b6184a541461573163520d7f31f0bf943d9fc	[log] [tgz]
author	Jeff Tinker <jtinker@google.com>	Mon Sep 14 13:55:23 2015 -0700
committer	The Android Automerger <android-build@android.com>	Wed Oct 21 12:08:20 2015 -0700
tree	7689a4773b8fbf524ce2da858de8a12ed86e521d
parent	24d59feb83a2b0e2141ed68982a9854a2095ab3e [diff]