Merge "Harden drmserver process against fuzzing attacks" into mnc-dev

#include "IDrmManagerService.h"

#define INVALID_BUFFER_LENGTH -1

#define MAX_BINDER_TRANSACTION_SIZE ((1*1024*1024)-(4096*2))

using namespace android;

        //Filling DRM info

        const int infoType = data.readInt32();

        const int bufferSize = data.readInt32();

        const uint32_t bufferSize = data.readInt32();

        if (bufferSize > data.dataAvail()) {

            return BAD_VALUE;

        }

        char* buffer = NULL;

        if (0 < bufferSize) {

            buffer = (char *)data.readInplace(bufferSize);

        const int size = data.readInt32();

        for (int index = 0; index < size; ++index) {

            if (!data.dataAvail()) {

                break;

            }

            const String8 key(data.readString8());

            if (key == String8("FileDescriptorKey")) {

                char buffer[16];

        const int uniqueId = data.readInt32();

        //Filling DRM Rights

        const int bufferSize = data.readInt32();

        const uint32_t bufferSize = data.readInt32();

        if (bufferSize > data.dataAvail()) {

            reply->writeInt32(BAD_VALUE);

            return DRM_NO_ERROR;

        }

        const DrmBuffer drmBuffer((char *)data.readInplace(bufferSize), bufferSize);

        const String8 mimeType(data.readString8());

        const int convertId = data.readInt32();

        //Filling input data

        const int bufferSize = data.readInt32();

        const uint32_t bufferSize = data.readInt32();

        if (bufferSize > data.dataAvail()) {

            return BAD_VALUE;

        }

        DrmBuffer* inputData = new DrmBuffer((char *)data.readInplace(bufferSize), bufferSize);

        DrmConvertedStatus* drmConvertedStatus = convertData(uniqueId, convertId, inputData);

        const int decryptUnitId = data.readInt32();

        //Filling Header info

        const int bufferSize = data.readInt32();

        const uint32_t bufferSize = data.readInt32();

        if (bufferSize > data.dataAvail()) {

            reply->writeInt32(BAD_VALUE);

            clearDecryptHandle(&handle);

            return DRM_NO_ERROR;

        }

        DrmBuffer* headerInfo = NULL;

        headerInfo = new DrmBuffer((char *)data.readInplace(bufferSize), bufferSize);

        readDecryptHandleFromParcelData(&handle, data);

        const int decryptUnitId = data.readInt32();

        const int decBufferSize = data.readInt32();

        const uint32_t decBufferSize = data.readInt32();

        const uint32_t encBufferSize = data.readInt32();

        if (encBufferSize > data.dataAvail() ||

            decBufferSize > MAX_BINDER_TRANSACTION_SIZE) {

            reply->writeInt32(BAD_VALUE);

            reply->writeInt32(0);

            clearDecryptHandle(&handle);

            return DRM_NO_ERROR;

        }

        const int encBufferSize = data.readInt32();

        DrmBuffer* encBuffer

            = new DrmBuffer((char *)data.readInplace(encBufferSize), encBufferSize);

        DrmBuffer* IV = NULL;

        if (0 != data.dataAvail()) {

            const int ivBufferlength = data.readInt32();

            const uint32_t ivBufferlength = data.readInt32();

            if (ivBufferlength <= data.dataAvail()) {

                IV = new DrmBuffer((char *)data.readInplace(ivBufferlength), ivBufferlength);

            }

        }

        const status_t status

            = decrypt(uniqueId, &handle, decryptUnitId, encBuffer, &decBuffer, IV);

        DecryptHandle handle;

        readDecryptHandleFromParcelData(&handle, data);

        const int numBytes = data.readInt32();

        const uint32_t numBytes = data.readInt32();

        if (numBytes > MAX_BINDER_TRANSACTION_SIZE) {

            reply->writeInt32(BAD_VALUE);

            return DRM_NO_ERROR;

        }

        char* buffer = new char[numBytes];

        const off64_t offset = data.readInt64();