Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8464bfa9 authored by Edwin Wong's avatar Edwin Wong
Browse files

[DO NOT MERGE] Fix heap buffer overflow in clearkey CryptoPlugin::decrypt 

Fix destPtr was not pointing to destination raw pointer.

bug: 144506242

Test: sts
  ANDROID_BUILD_TOP= ./android-sts/tools/sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Poc19_12#testPocBug_144506242

Change-Id: Ia1b8f755daaada2f1411abeb3cb5b832a72b3c82
parent 8f72d008

drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp

+2 −0
Original line number Diff line number Diff line
@@ -136,6 +136,8 @@ Return<void> CryptoPlugin::decrypt_1_2( 
        return Void();

    }



    base = static_cast<uint8_t *>(static_cast<void *>(destBase->getPointer()));



    if (destBuffer.offset + destBuffer.size > destBase->getSize()) {

        _hidl_cb(Status_V1_2::ERROR_DRM_FRAME_TOO_LARGE, 0, "invalid buffer size");

        return Void();