widevine-partner/android
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge "Fix WVCryptoPlugin use after free vulnerability." into sc-dev am: 9d1ad7590a

Browse Source 
Original change: https://googleplex-android-review.googlesource.com/c/platform/vendor/widevine/+/13808139

Change-Id: I4c2aadb7b98c48abc349582d0bca0ddb41d05df7
This commit is contained in:
Edwin Wong
2021-04-05 21:35:55 +00:00
committed by Automerger Merge Worker
parent 1df93e5cae 9d1ad7590a
commit c10f719067
3 changed files with 15 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
libwvdrmengine/mediacrypto/src_hidl/WVCryptoPlugin.cpp
View File

@@ -121,6 +121,8 @@ Return<void> WVCryptoPlugin::setSharedBufferBase(
const hidl_memory& base, uint32_t bufferId) {
sp<IMemory> hidlMemory = mapMemory(base);
std::lock_guard<std::mutex> shared_buffer_lock(mSharedBufferLock);
// allow mapMemory to return nullptr
mSharedBufferMap[bufferId] = hidlMemory;
return Void();
@@ -169,7 +171,7 @@ Return<void> WVCryptoPlugin::decrypt_1_2(
uint64_t offset,
const DestinationBuffer& destination,
decrypt_1_2_cb _hidl_cb) {
std::unique_lock<std::mutex> lock(mSharedBufferLock);
if (mSharedBufferMap.find(source.bufferId) == mSharedBufferMap.end()) {
_hidl_cb(Status_V1_2::ERROR_DRM_CANNOT_HANDLE, 0,
"source decrypt buffer base not set");
@@ -245,6 +247,9 @@ Return<void> WVCryptoPlugin::decrypt_1_2(
destPtr = static_cast<void *>(handle);
}
// release mSharedBufferLock
lock.unlock();
// Set up the decrypt params
CdmDecryptionParametersV16 params;
params.key_id = cryptoKey;