From 591f24cd32db96acffab727a3c6363d9fe203fdd Mon Sep 17 00:00:00 2001
From: Edwin Wong <edwinwong@google.com>
Date: Tue, 17 Dec 2019 17:45:33 -0800
Subject: [PATCH] Fix heap buffer overflow in clearkey CryptoPlugin::decrypt

Fix destPtr was not pointing to destination raw pointer.

merge from qt-qpr1-dev: go/ag/9941940

bug: 144506242

Test: sts
  ANDROID_BUILD_TOP= ./android-sts/tools/sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Poc19_12#testPocBug_144506242

Change-Id: I9fb4ad350ec25dd697940fee57748652745a951d
---
 drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp b/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp
index f164f2859b..3ecf6d5acd 100644
--- a/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp
+++ b/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp
@@ -136,6 +136,8 @@ Return<void> CryptoPlugin::decrypt_1_2(
         return Void();
     }
 
+    base = static_cast<uint8_t *>(static_cast<void *>(destBase->getPointer()));
+
     if (destBuffer.offset + destBuffer.size > destBase->getSize()) {
         _hidl_cb(Status_V1_2::ERROR_DRM_FRAME_TOO_LARGE, 0, "invalid buffer size");
         return Void();