Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b92e3bf7 authored by Edwin Wong's avatar Edwin Wong
Browse files

[DO NOT MERGE] Fix heap buffer overflow for releaseSecureStops. 

If the input SecureStopRelease size is less than sizeof(uint32_t)
in releaseSecureStops(), an out of bound read will occur.

bug: 144766455
bug: 144746235
bug: 147281068

Test: sts
ANDROID_BUILD_TOP= ./android-sts/tools/sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Poc19_11#testPocBug_144766455

Change-Id: Ibee5a105eaedfee37d2fa93f7024f63f30cc7409
parent 7b254210

drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp

+5 −0
Original line number Diff line number Diff line
@@ -809,6 +809,11 @@ Return<Status> DrmPlugin::releaseSecureStops(const SecureStopRelease& ssRelease) 
    //    count - number of secure stops

    //    list of fixed length secure stops

    size_t countBufferSize = sizeof(uint32_t);

    if (input.size() < countBufferSize) {

        // SafetyNet logging

        android_errorWriteLog(0x534e4554, "144766455");

        return Status::BAD_VALUE;

    }

    uint32_t count = 0;

    sscanf(reinterpret_cast<char*>(input.data()), "%04" PRIu32, &count);