widevine-partner/android
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge "[RESTRICT AUTOMERGE] Fix WVCryptoPlugin use after free vulnerability." into pi-dev

Browse Source
This commit is contained in:
Edwin Wong
2021-04-06 22:27:14 +00:00
committed by Android (Google) Code Review
parent 7752248af7 93dd56bae2
commit 9452ee5a55
3 changed files with 14 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
libwvdrmengine/mediacrypto/src_hidl/WVCryptoPlugin.cpp
View File

@@ -100,6 +100,8 @@ Return<void> WVCryptoPlugin::setSharedBufferBase(
sp<IMemory> hidlMemory = mapMemory(base);
ALOGE_IF(hidlMemory == nullptr, "mapMemory returns nullptr");
std::lock_guard<std::mutex> shared_buffer_lock(mSharedBufferLock);
// allow mapMemory to return nullptr
mSharedBufferMap[bufferId] = hidlMemory;
return Void();
@@ -116,7 +118,7 @@ Return<void> WVCryptoPlugin::decrypt(
uint64_t offset,
const DestinationBuffer& destination,
decrypt_cb _hidl_cb) {
std::unique_lock<std::mutex> lock(mSharedBufferLock);
if (mSharedBufferMap.find(source.bufferId) == mSharedBufferMap.end()) {
_hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0,
"source decrypt buffer base not set");
@@ -187,6 +189,9 @@ Return<void> WVCryptoPlugin::decrypt(
destPtr = static_cast<void *>(handle);
}
// release mSharedBufferLock
lock.unlock();
// Calculate the output buffer size and determine if any subsamples are
// encrypted.
size_t destSize = 0;