HDCP: buffer over flow check -- DO NOT MERGE

bug: 20222489 Change-Id: I3a64a5999d68ea243d187f12ec7717b7f26d93a3 (cherry picked from commit 532cd7b)
CyanogenMod · Aug 12, 2015 · 626ad26 · 626ad26
1 parent 7f4cec9
commit 626ad26
Showing 1 changed file with 24 additions and 2 deletions.
diff --git a/media/libmedia/IHDCP.cpp b/media/libmedia/IHDCP.cpp
@@ -241,8 +241,19 @@ status_t BnHDCP::onTransact(
         case HDCP_ENCRYPT:
         {
             size_t size = data.readInt32();
+            size_t bufSize = 2 * size;
+
+            // watch out for overflow
+            void *inData = NULL;
+            if (bufSize > size) {
+                inData = malloc(bufSize);
+            }
+
+            if (inData == NULL) {
+                reply->writeInt32(ERROR_OUT_OF_RANGE);
+                return OK;
+            }
 
-            void *inData = malloc(2 * size);
             void *outData = (uint8_t *)inData + size;
 
             data.read(inData, size);
@@ -295,8 +306,19 @@ status_t BnHDCP::onTransact(
         case HDCP_DECRYPT:
         {
             size_t size = data.readInt32();
+            size_t bufSize = 2 * size;
+
+            // watch out for overflow
+            void *inData = NULL;
+            if (bufSize > size) {
+                inData = malloc(bufSize);
+            }
+
+            if (inData == NULL) {
+                reply->writeInt32(ERROR_OUT_OF_RANGE);
+                return OK;
+            }
 
-            void *inData = malloc(2 * size);
             void *outData = (uint8_t *)inData + size;
 
             data.read(inData, size);