Google Git
Sign in
android/platform/frameworks/av/c82e31a7039a03dca7b37c65b7890ba5c1e18ced^!/.
commit
c82e31a7039a03dca7b37c65b7890ba5c1e18ced
[log]
author
Chong Zhang <chz@google.com>
Mon Apr 27 18:38:17 2015 -0700
committer
The Android Automerger <android-build@google.com>
Thu Jul 09 14:03:00 2015 -0700
tree
6238c3bcad634928c91a7b89c8d25cb5b78ea34c
parent
d48f0f145f8f0f4472bc0af668ac9a8bce44ba9b [diff]
HDCP: buffer over flow check -- DO NOT MERGE

bug: 20222489
Change-Id: I3a64a5999d68ea243d187f12ec7717b7f26d93a3
(cherry picked from commit 532cd7b86a5fdc7b9a30a45d8ae2d16ef7660a72)

diff --git a/media/libmedia/IHDCP.cpp b/media/libmedia/IHDCP.cpp
index 1cf987a..9d93320 100644
--- a/media/libmedia/IHDCP.cpp
+++ b/media/libmedia/IHDCP.cpp

@@ -241,8 +241,19 @@
         case HDCP_ENCRYPT:
         {
             size_t size = data.readInt32();
+            size_t bufSize = 2 * size;
 
-            void *inData = malloc(2 * size);
+            // watch out for overflow
+            void *inData = NULL;
+            if (bufSize > size) {
+                inData = malloc(bufSize);
+            }
+
+            if (inData == NULL) {
+                reply->writeInt32(ERROR_OUT_OF_RANGE);
+                return OK;
+            }
+
             void *outData = (uint8_t *)inData + size;
 
             data.read(inData, size);
@@ -295,8 +306,19 @@
         case HDCP_DECRYPT:
         {
             size_t size = data.readInt32();
+            size_t bufSize = 2 * size;
 
-            void *inData = malloc(2 * size);
+            // watch out for overflow
+            void *inData = NULL;
+            if (bufSize > size) {
+                inData = malloc(bufSize);
+            }
+
+            if (inData == NULL) {
+                reply->writeInt32(ERROR_OUT_OF_RANGE);
+                return OK;
+            }
+
             void *outData = (uint8_t *)inData + size;
 
             data.read(inData, size);