HDCP: buffer over flow check -- DO NOT MERGE

bug: 20222489 Change-Id: I3a64a5999d68ea243d187f12ec7717b7f26d93a3 (cherry picked from commit 532cd7b86a5fdc7b9a30a45d8ae2d16ef7660a72) Conflicts: media/libmedia/IHDCP.cpp
author: Chong Zhang <chz@google.com> 2015-04-27 18:38:17 -0700
committer: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> 2015-10-18 13:42:17 +0200
commit: 07a749bc4798240576db362e23d03c2269b897da (patch)
tree: dd0b6536ed2ae0949aad3b10902351c60c5fef15
parent: a4ab71c55d743ad4eefa83b9e2861d95520a4e08 (diff)
download: frameworks_av-07a749bc4798240576db362e23d03c2269b897da.zip
frameworks_av-07a749bc4798240576db362e23d03c2269b897da.tar.gz
frameworks_av-07a749bc4798240576db362e23d03c2269b897da.tar.bz2
1 files changed, 12 insertions, 1 deletions
diff --git a/media/libmedia/IHDCP.cpp b/media/libmedia/IHDCP.cpp
index 493f5a4..3b42267 100644
--- a/media/libmedia/IHDCP.cpp
+++ b/media/libmedia/IHDCP.cpp
@@ -175,8 +175,19 @@ status_t BnHDCP::onTransact(
         case HDCP_ENCRYPT:
         {
             size_t size = data.readInt32();
+            size_t bufSize = 2 * size;
+
+            // watch out for overflow
+            void *inData = NULL;
+            if (bufSize > size) {
+                inData = malloc(bufSize);
+            }
+
+            if (inData == NULL) {
+                reply->writeInt32(ERROR_OUT_OF_RANGE);
+                return OK;
+            }
 
-            void *inData = malloc(2 * size);
             void *outData = (uint8_t *)inData + size;
 
             data.read(inData, size);
author	Chong Zhang <chz@google.com>	2015-04-27 18:38:17 -0700
committer	Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>	2015-10-18 13:42:17 +0200
commit	07a749bc4798240576db362e23d03c2269b897da (patch)
tree	dd0b6536ed2ae0949aad3b10902351c60c5fef15
parent	a4ab71c55d743ad4eefa83b9e2861d95520a4e08 (diff)
download	frameworks_av-07a749bc4798240576db362e23d03c2269b897da.zip frameworks_av-07a749bc4798240576db362e23d03c2269b897da.tar.gz frameworks_av-07a749bc4798240576db362e23d03c2269b897da.tar.bz2