Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit dc4c427b authored by Edwin Wong's avatar Edwin Wong
Browse files

[DO NOT MERGE] Fix heap buffer overflow in clearkey CryptoPlugin::decrypt 

Fix destPtr was not pointing to destination raw pointer.

bug: 144506242

Test: sts
  ANDROID_BUILD_TOP= ./android-sts/tools/sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Poc19_12#testPocBug_144506242

Change-Id: I9425baa21c82d5a5edf37c87989adbade0428b67
parent 1d2cccfd

drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp

+2 −0
Original line number Diff line number Diff line
@@ -106,6 +106,8 @@ Return<void> CryptoPlugin::decrypt( 
        return Void();

    }



    base = static_cast<uint8_t *>(static_cast<void *>(destBase->getPointer()));



    if (destBuffer.offset + destBuffer.size > destBase->getSize()) {

        _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size");

        return Void();