Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e2dfa162 authored by Edwin Wong's avatar Edwin Wong
Browse files

Fix Heap buffer overflow in clearkey releaseSecureStops 

Security Vulnerability fix: Heap buffer overflow in clearkey
releaseSecureStops - android.hardware.drm@1.1-service.clearkey

Fix provided by researcher.

Test: CTS tests
  android.media.cts.MediaDrmClearkeyTest#testSecureStop
  android.media.cts.MediaDrmClearkeyTest

Test: run drmpoc
  no signal 6 on clearkey service after the fix

Test: adb shell ps | grep clearkey
  pid ID does not change after running drmpoc

bug: 137284652
Change-Id: Id085945943aa6b85c597dc8b7c32a3b990c54a2b
parent c806cf4c

drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp

+2 −1
Original line number Diff line number Diff line
@@ -797,7 +797,8 @@ Return<void> DrmPlugin::getSecureStopIds(getSecureStopIds_cb _hidl_cb) { 
}



Return<Status> DrmPlugin::releaseSecureStops(const SecureStopRelease& ssRelease) {

    if (ssRelease.opaqueData.size() == 0) {

    // minimum opaqueData contains the uint32_t count, see comment below

    if (ssRelease.opaqueData.size() < sizeof(uint32_t)) {

        return Status::BAD_VALUE;

    }