Fixed bugs where the content of buffer holding keys was cleared using a wrong size in forward lock (61eae44c) · Commits · e / os / android_frameworks_av

drm/libdrmframework/plugins/forward-lock/internal-format/converter/FwdLockConv.c

+4 −2

Original line number	Diff line number	Diff line
		@@ -245,7 +245,9 @@ static int FwdLockConv_DeriveKeys(FwdLockConv_Session_t *pSession) {
		AES_KEY sessionRoundKeys;
		unsigned char value[KEY_SIZE];
		unsigned char key[KEY_SIZE];
		} pData = malloc(sizeof pData);
		};
		const size_t kSize = sizeof(struct FwdLockConv_DeriveKeys_Data);
		struct FwdLockConv_DeriveKeys_Data *pData = malloc(kSize);
		if (pData == NULL) {
		status = FwdLockConv_Status_OutOfMemory;
		} else {
		@@ -268,7 +270,7 @@ static int FwdLockConv_DeriveKeys(FwdLockConv_Session_t *pSession) {
		status = FwdLockConv_Status_OK;
		}
		}
		memset(pData, 0, sizeof pData); // Zero out key data.
		memset(pData, 0, kSize); // Zero out key data.
		free(pData);
		}
		return status;

+5 −2

Original line number	Diff line number	Diff line
		@@ -174,7 +174,10 @@ static int FwdLockFile_DeriveKeys(FwdLockFile_Session_t * pSession) {
		AES_KEY sessionRoundKeys;
		unsigned char value[KEY_SIZE];
		unsigned char key[KEY_SIZE];
		} pData = malloc(sizeof pData);
		};

		const size_t kSize = sizeof(struct FwdLockFile_DeriveKeys_Data);
		struct FwdLockFile_DeriveKeys_Data *pData = malloc(kSize);
		if (pData == NULL) {
		result = FALSE;
		} else {
		@@ -202,7 +205,7 @@ static int FwdLockFile_DeriveKeys(FwdLockFile_Session_t * pSession) {
		if (!result) {
		errno = ENOSYS;
		}
		memset(pData, 0, sizeof pData); // Zero out key data.
		memset(pData, 0, kSize); // Zero out key data.
		free(pData);
		}
		return result;