[RESTRICT AUTOMERGE] Fix WVCryptoPlugin use after free vulnerability.

The shared memory buffer used by srcPtr can be freed by another
thread because it is not protected by a mutex. Subsequently,
a use after free AIGABRT can occur in a race condition.

SafetyNet logging is not added to avoid log spamming. The
mutex lock is called to setup for decryption, which is
called frequently.

Test is run on rvc-dev branch, using target_hwasan-userdebug build.

Test: sts
  sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176495665#testPocBug_176495665

Test: push to device with target_hwasan-userdebug build
  adb shell /data/local/tmp/Bug-176495665_sts64

Bug: 176495665
Bug: 176444161
Change-Id: Ie1aca0ceacb4b7a1b6e473b823541607a36d8cb4

libwvdrmengine/mediacrypto/src_hidl/WVCryptoPlugin.cpp

@@ -98,6 +98,8 @@ Return<void> WVCryptoPlugin::setSharedBufferBase(
   sp<IMemory> hidlMemory = mapMemory(base);
   ALOGE_IF(hidlMemory == nullptr, "mapMemory returns nullptr");
 
+  std::lock_guard<std::mutex> shared_buffer_lock(mSharedBufferLock);
+
   // allow mapMemory to return nullptr
   mSharedBufferMap[bufferId] = hidlMemory;
   return Void();
@@ -114,7 +116,7 @@ Return<void> WVCryptoPlugin::decrypt(
     uint64_t offset,
     const DestinationBuffer& destination,
     decrypt_cb _hidl_cb) {
-
+    std::unique_lock<std::mutex> lock(mSharedBufferLock);
     if (mSharedBufferMap.find(source.bufferId) == mSharedBufferMap.end()) {
       _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0,
                "source decrypt buffer base not set");
@@ -182,6 +184,9 @@ Return<void> WVCryptoPlugin::decrypt(
     destPtr = static_cast<void *>(handle);
   }
 
+  // release mSharedBufferLock
+  lock.unlock();
+
   // Calculate the output buffer size and determine if any subsamples are
   // encrypted.
   size_t destSize = 0;