From e5d4a0be30bac8fdba7194841084dcf61be6e8a2 Mon Sep 17 00:00:00 2001
From: Jeff Tinker <jtinker@google.com>
Date: Mon, 17 Aug 2015 17:56:27 -0700
Subject: [PATCH] DO NOT MERGE Part of fix for libmedia OOB write anywhere

Prevent usage of client provided address on
non-secure devices spoofed as being secure.

b/23223325

merge of go/wvgerrit/15420 from widevine repo

Change-Id: I1d4f3a652b3d5e78fca508f92005cfa8df5ec6db
---
 libwvdrmengine/cdm/core/include/wv_cdm_types.h | 1 +
 libwvdrmengine/cdm/core/src/crypto_session.cpp | 4 ++++
 libwvdrmengine/include/mapErrors-inl.h         | 2 ++
 3 files changed, 7 insertions(+)

diff --git a/libwvdrmengine/cdm/core/include/wv_cdm_types.h b/libwvdrmengine/cdm/core/include/wv_cdm_types.h
index fea94185..89676e66 100644
--- a/libwvdrmengine/cdm/core/include/wv_cdm_types.h
+++ b/libwvdrmengine/cdm/core/include/wv_cdm_types.h
@@ -39,6 +39,7 @@ enum CdmResponseType {
   NEED_PROVISIONING,
   DEVICE_REVOKED,
   INSUFFICIENT_CRYPTO_RESOURCES,
+  SECURE_BUFFER_REQUIRED,
 };
 
 #define CORE_DISALLOW_COPY_AND_ASSIGN(TypeName) \
diff --git a/libwvdrmengine/cdm/core/src/crypto_session.cpp b/libwvdrmengine/cdm/core/src/crypto_session.cpp
index 3514985b..a2de3071 100644
--- a/libwvdrmengine/cdm/core/src/crypto_session.cpp
+++ b/libwvdrmengine/cdm/core/src/crypto_session.cpp
@@ -647,6 +647,10 @@ CdmResponseType CryptoSession::Decrypt(const CdmDecryptionParameters& params) {
   buffer_descriptor.type =
       params.is_secure ? destination_buffer_type_ : OEMCrypto_BufferType_Clear;
 
+  if (params.is_secure && buffer_descriptor.type == OEMCrypto_BufferType_Clear) {
+    return SECURE_BUFFER_REQUIRED;
+  }
+
   switch (buffer_descriptor.type) {
     case OEMCrypto_BufferType_Clear:
       buffer_descriptor.buffer.clear.address =
diff --git a/libwvdrmengine/include/mapErrors-inl.h b/libwvdrmengine/include/mapErrors-inl.h
index 9c0084ef..5d28bc0e 100644
--- a/libwvdrmengine/include/mapErrors-inl.h
+++ b/libwvdrmengine/include/mapErrors-inl.h
@@ -35,6 +35,8 @@ static android::status_t mapCdmResponseType(wvcdm::CdmResponseType res) {
       return kErrorCDMGeneric;
     case wvcdm::UNKNOWN_ERROR:
       return android::ERROR_DRM_UNKNOWN;
+    case wvcdm::SECURE_BUFFER_REQUIRED:
+      return android::ERROR_DRM_CANNOT_HANDLE;
   }
 
   // Return here instead of as a default case so that the compiler will warn