am a6e9dd94: am 270caf9a: am 23d41fb1: am 2a9ccb66: am fd3a6e71: HDCP: buffer over flow check -- DO NOT MERGE
* commit 'a6e9dd941a3055526f6e967017e91a76c153087a':
HDCP: buffer over flow check -- DO NOT MERGE
diff --git a/media/libmedia/IHDCP.cpp b/media/libmedia/IHDCP.cpp
index 9122f75..79944ee 100644
--- a/media/libmedia/IHDCP.cpp
+++ b/media/libmedia/IHDCP.cpp
@@ -241,8 +241,19 @@
case HDCP_ENCRYPT:
{
size_t size = data.readInt32();
+ size_t bufSize = 2 * size;
- void *inData = malloc(2 * size);
+ // watch out for overflow
+ void *inData = NULL;
+ if (bufSize > size) {
+ inData = malloc(bufSize);
+ }
+
+ if (inData == NULL) {
+ reply->writeInt32(ERROR_OUT_OF_RANGE);
+ return OK;
+ }
+
void *outData = (uint8_t *)inData + size;
data.read(inData, size);
@@ -295,8 +306,19 @@
case HDCP_DECRYPT:
{
size_t size = data.readInt32();
+ size_t bufSize = 2 * size;
- void *inData = malloc(2 * size);
+ // watch out for overflow
+ void *inData = NULL;
+ if (bufSize > size) {
+ inData = malloc(bufSize);
+ }
+
+ if (inData == NULL) {
+ reply->writeInt32(ERROR_OUT_OF_RANGE);
+ return OK;
+ }
+
void *outData = (uint8_t *)inData + size;
data.read(inData, size);