Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 38d27e7b authored by Edwin Wong's avatar Edwin Wong
Browse files

Fix heap buffer overflow for releaseSecureStops. 

If the input SecureStopRelease size is less than sizeof(uint32_t)
in releaseSecureStops(), an out of bound read will occur.

bug: 144766455
bug: 144746235
bug: 147281068

Test: sts
ANDROID_BUILD_TOP= ./android-sts/tools/sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Poc19_11#testPocBug_144766455

Change-Id: I8c89797869addf83342a4f32e17bce0515713119
parent f9cd09f6

drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp

+6 −0
Original line number Diff line number Diff line
@@ -829,6 +829,12 @@ Return<Status> DrmPlugin::releaseSecureStops(const SecureStopRelease& ssRelease) 
    // and the drm service. The clearkey implementation consists of:

    //    count - number of secure stops

    //    list of fixed length secure stops

    size_t countBufferSize = sizeof(uint32_t);

    if (input.size() < countBufferSize) {

        // SafetyNet logging

        android_errorWriteLog(0x534e4554, "144766455");

        return Status::BAD_VALUE;

    }

    uint32_t count = 0;

    sscanf(reinterpret_cast<char*>(input.data()), "%04" PRIu32, &count);