Fix potential buffer overflow in mediadrmserver

author Jeff Tinker <jtinker@google.com>

Thu, 11 Jan 2018 08:14:53 +0000 (00:14 -0800)

committer Ryan Longair <rlongair@google.com>

Thu, 18 Jan 2018 18:16:48 +0000 (10:16 -0800)
author Jeff Tinker <jtinker@google.com>
Thu, 11 Jan 2018 08:14:53 +0000 (00:14 -0800)
committer Ryan Longair <rlongair@google.com>
Thu, 18 Jan 2018 18:16:48 +0000 (10:16 -0800)
diff --git a/drm/libmediadrm/ICrypto.cpp b/drm/libmediadrm/ICrypto.cpp

index 8506d95..37dc83b 100644 (file)
--- a/drm/libmediadrm/ICrypto.cpp
+++ b/drm/libmediadrm/ICrypto.cpp
@@ -16,14 +16,14 @@
  
  //#define LOG_NDEBUG 0
  #define LOG_TAG "ICrypto"
-#include <utils/Log.h>
-
  #include <binder/Parcel.h>
  #include <binder/IMemory.h>
+#include <cutils/log.h>
  #include <media/ICrypto.h>
  #include <media/stagefright/MediaErrors.h>
  #include <media/stagefright/foundation/ADebug.h>
  #include <media/stagefright/foundation/AString.h>
+#include <utils/Log.h>
  
  namespace android {
  
@@ -362,6 +362,13 @@ status_t BnCrypto::onTransact(
                      reply->writeInt32(BAD_VALUE);
                      return OK;
                  }
+                sp<IMemory> dest = destination.mSharedMemory;
+                if (totalSize > dest->size() ||
+                        (size_t)dest->offset() > dest->size() - totalSize) {
+                    reply->writeInt32(BAD_VALUE);
+                    android_errorWriteLog(0x534e4554, "71389378");
+                    return OK;
+                }
              }
  
              AString errorDetailMsg;
author	Jeff Tinker <jtinker@google.com>
	Thu, 11 Jan 2018 08:14:53 +0000 (00:14 -0800)
committer	Ryan Longair <rlongair@google.com>
	Thu, 18 Jan 2018 18:16:48 +0000 (10:16 -0800)