commit 1d0255e990821193550e1aaad8ca62d87cb787ae
author Marco Nelissen <marcone@google.com> Mon Feb 13 23:33:01 2017 +0000
committer android-build-merger <android-build-merger@google.com> Mon Feb 13 23:33:01 2017 +0000
tree e264d5fd9b19ad5ab4bacd3f99bfbc9bec678bda
parent bd8cc7483ae9c6865c20a808288afa141402c398
parent 72ff526520779633dd37b00b4cec523ec15c22b0

Merge "Fix overflow check and check read result" into klp-dev am: b6aa3901ce am: e541fa1764 am: 7f3980c0ca am: ea2023406b am: 3fc94bc146 am: 497f2ccce4 am: 917033735e am: 3b122332a1 am: 89cbb8482b am: 3ce7b4ddca am: 96fbe3c2e5 am: d625f8dcab am: d572632948
am: 72ff526520

Change-Id: Ie0a458392a8aacb64c0852b18bbc55a1542c4d94

media/libmedia/IHDCP.cpp

diff --git a/media/libmedia/IHDCP.cpp b/media/libmedia/IHDCP.cpp
index 21e35f6..15ed579 100644
--- a/media/libmedia/IHDCP.cpp
+++ b/media/libmedia/IHDCP.cpp
@@ -241,14 +241,11 @@
         case HDCP_ENCRYPT:
         {
             size_t size = data.readInt32();
-            size_t bufSize = 2 * size;
-
-            // watch out for overflow
             void *inData = NULL;
-            if (bufSize > size) {
-                inData = malloc(bufSize);
+            // watch out for overflow
+            if (size <= SIZE_MAX / 2) {
+                inData = malloc(2 * size);
             }
-
             if (inData == NULL) {
                 reply->writeInt32(ERROR_OUT_OF_RANGE);
                 return OK;
@@ -256,11 +253,16 @@
 
             void *outData = (uint8_t *)inData + size;
 
-            data.read(inData, size);
+            status_t err = data.read(inData, size);
+            if (err != OK) {
+                free(inData);
+                reply->writeInt32(err);
+                return OK;
+            }
 
             uint32_t streamCTR = data.readInt32();
             uint64_t inputCTR;
-            status_t err = encrypt(inData, size, streamCTR, &inputCTR, outData);
+            err = encrypt(inData, size, streamCTR, &inputCTR, outData);
 
             reply->writeInt32(err);