Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3b93ca58 authored by Edwin Wong's avatar Edwin Wong Committed by Android (Google) Code Review
Browse files

Merge "Fix Heap use after free in clearkey getSecureStops"

parents 21baf09e 8e407226

drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp

+18 −3
Original line number Diff line number Diff line
@@ -111,6 +111,8 @@ void DrmPlugin::initProperties() { 
// The content in this secure stop is implementation dependent, the clearkey

// secureStop does not serve as a reference implementation.

void DrmPlugin::installSecureStop(const hidl_vec<uint8_t>& sessionId) {

    Mutex::Autolock lock(mSecureStopLock);



    ClearkeySecureStop clearkeySecureStop;

    clearkeySecureStop.id = uint32ToVector(++mNextSecureStopId);

    clearkeySecureStop.data.assign(sessionId.begin(), sessionId.end());
@@ -744,6 +746,7 @@ Return<void> DrmPlugin::getOfflineLicenseState(const KeySetId& keySetId, 
}



Return<void> DrmPlugin::getSecureStops(getSecureStops_cb _hidl_cb) {

    mSecureStopLock.lock();

    std::vector<SecureStop> stops;

    for (auto itr = mSecureStops.begin(); itr != mSecureStops.end(); ++itr) {

        ClearkeySecureStop clearkeyStop = itr->second;
@@ -755,26 +758,32 @@ Return<void> DrmPlugin::getSecureStops(getSecureStops_cb _hidl_cb) { 
        stop.opaqueData = toHidlVec(stopVec);

        stops.push_back(stop);

    }

    mSecureStopLock.unlock();



    _hidl_cb(Status::OK, stops);

    return Void();

}



Return<void> DrmPlugin::getSecureStop(const hidl_vec<uint8_t>& secureStopId,

        getSecureStop_cb _hidl_cb) {

    SecureStop stop;

    std::vector<uint8_t> stopVec;



    mSecureStopLock.lock();

    auto itr = mSecureStops.find(toVector(secureStopId));

    if (itr != mSecureStops.end()) {

        ClearkeySecureStop clearkeyStop = itr->second;

        std::vector<uint8_t> stopVec;

        stopVec.insert(stopVec.end(), clearkeyStop.id.begin(), clearkeyStop.id.end());

        stopVec.insert(stopVec.end(), clearkeyStop.data.begin(), clearkeyStop.data.end());

    }

    mSecureStopLock.unlock();



    SecureStop stop;

    if (!stopVec.empty()) {

        stop.opaqueData = toHidlVec(stopVec);

        _hidl_cb(Status::OK, stop);

    } else {

        _hidl_cb(Status::BAD_VALUE, stop);

    }



    return Void();

}
@@ -787,10 +796,12 @@ Return<Status> DrmPlugin::releaseAllSecureStops() { 
}



Return<void> DrmPlugin::getSecureStopIds(getSecureStopIds_cb _hidl_cb) {

    mSecureStopLock.lock();

    std::vector<SecureStopId> ids;

    for (auto itr = mSecureStops.begin(); itr != mSecureStops.end(); ++itr) {

        ids.push_back(itr->first);

    }

    mSecureStopLock.unlock();



    _hidl_cb(Status::OK, toHidlVec(ids));

    return Void();
@@ -850,6 +861,8 @@ Return<Status> DrmPlugin::releaseSecureStops(const SecureStopRelease& ssRelease) 
}



Return<Status> DrmPlugin::removeSecureStop(const hidl_vec<uint8_t>& secureStopId) {

    Mutex::Autolock lock(mSecureStopLock);



    if (1 != mSecureStops.erase(toVector(secureStopId))) {

        return Status::BAD_VALUE;

    }
@@ -857,6 +870,8 @@ Return<Status> DrmPlugin::removeSecureStop(const hidl_vec<uint8_t>& secureStopId 
}



Return<Status> DrmPlugin::removeAllSecureStops() {

    Mutex::Autolock lock(mSecureStopLock);



    mSecureStops.clear();

    mNextSecureStopId = kSecureStopIdStart;

    return Status::OK;

drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h

+1 −0
Original line number Diff line number Diff line
@@ -416,6 +416,7 @@ private: 
    }



    DeviceFiles mFileHandle;

    Mutex mSecureStopLock;



    CLEARKEY_DISALLOW_COPY_AND_ASSIGN_AND_NEW(DrmPlugin);

};