Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 591f24cd authored by Edwin Wong's avatar Edwin Wong
Browse files

Fix heap buffer overflow in clearkey CryptoPlugin::decrypt 

Fix destPtr was not pointing to destination raw pointer.

merge from qt-qpr1-dev: go/ag/9941940

bug: 144506242

Test: sts
  ANDROID_BUILD_TOP= ./android-sts/tools/sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Poc19_12#testPocBug_144506242

Change-Id: I9fb4ad350ec25dd697940fee57748652745a951d
parent 94e872e6

drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp

+2 −0
Original line number Diff line number Diff line
@@ -136,6 +136,8 @@ Return<void> CryptoPlugin::decrypt_1_2( 
        return Void();

    }



    base = static_cast<uint8_t *>(static_cast<void *>(destBase->getPointer()));



    if (destBuffer.offset + destBuffer.size > destBase->getSize()) {

        _hidl_cb(Status_V1_2::ERROR_DRM_FRAME_TOO_LARGE, 0, "invalid buffer size");

        return Void();