Fixed a buffer overflow bug in DrmPassthruPlugin

author James Dong <jdong@google.com>

Wed, 14 Mar 2012 02:20:55 +0000 (19:20 -0700)

committer James Dong <jdong@google.com>

Wed, 14 Mar 2012 02:23:23 +0000 (19:23 -0700)
author James Dong <jdong@google.com>
Wed, 14 Mar 2012 02:20:55 +0000 (19:20 -0700)
committer James Dong <jdong@google.com>
Wed, 14 Mar 2012 02:23:23 +0000 (19:23 -0700)
diff --git a/drm/libdrmframework/plugins/passthru/src/DrmPassthruPlugIn.cpp b/drm/libdrmframework/plugins/passthru/src/DrmPassthruPlugIn.cpp

index 0ffc0a7..77db32c 100644 (file)
--- a/drm/libdrmframework/plugins/passthru/src/DrmPassthruPlugIn.cpp
+++ b/drm/libdrmframework/plugins/passthru/src/DrmPassthruPlugIn.cpp
@@ -279,8 +279,14 @@ status_t DrmPassthruPlugIn::onDecrypt(int uniqueId, DecryptHandle* decryptHandle
       * memory has to be allocated by the caller.
       */
      if (NULL != (*decBuffer) && 0 < (*decBuffer)->length) {
-        memcpy((*decBuffer)->data, encBuffer->data, encBuffer->length);
-        (*decBuffer)->length = encBuffer->length;
+        if ((*decBuffer)->length >= encBuffer->length) {
+            memcpy((*decBuffer)->data, encBuffer->data, encBuffer->length);
+            (*decBuffer)->length = encBuffer->length;
+        } else {
+            ALOGE("decBuffer size (%d) too small to hold %d bytes",
+                (*decBuffer)->length, encBuffer->length);
+            return DRM_ERROR_UNKNOWN;
+        }
      }
      return DRM_NO_ERROR;
  }
author	James Dong <jdong@google.com>
	Wed, 14 Mar 2012 02:20:55 +0000 (19:20 -0700)
committer	James Dong <jdong@google.com>
	Wed, 14 Mar 2012 02:23:23 +0000 (19:23 -0700)