[DO NOT MERGE] Fix heap buffer overflow for releaseSecureStops. If the input SecureStopRelease size is less than sizeof(uint32_t) in releaseSecureStops(), an out of bound read will occur. bug: 144766455 bug: 144746235 bug: 147281068 Test: sts ANDROID_BUILD_TOP= ./android-sts/tools/sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Poc19_11#testPocBug_144766455 Change-Id: I050504c1ef4e5c41fb47ee97e98db41399288a91 (cherry picked from commit 2587ab6c7642062ea1791de1868c28b1164a073c)

commit: f0364ba28c822fb21322a8ac6cd7a2af3a5d2ec2 [log] [tgz]
author: Edwin Wong <edwinwong@google.com> Tue Nov 26 14:40:45 2019 -0800
committer: Anis Assi <anisassi@google.com> Thu Feb 06 15:18:05 2020 -0800
tree: bd44d2226761645428a4472a8bb62ce363e472f8
parent: e79a0716216edade8100dd4d6b05a69e80ce25ed [diff]
diff --git a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp
index d51e29d..30f7459 100644
--- a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp
+++ b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp

@@ -531,6 +531,11 @@
     //    count - number of secure stops
     //    list of fixed length secure stops
     size_t countBufferSize = sizeof(uint32_t);
+    if (input.size() < countBufferSize) {
+        // SafetyNet logging
+        android_errorWriteLog(0x534e4554, "144766455");
+        return Status::BAD_VALUE;
+    }
     uint32_t count = 0;
     sscanf(reinterpret_cast<char*>(input.data()), "%04" PRIu32, &count);
commit	f0364ba28c822fb21322a8ac6cd7a2af3a5d2ec2	[log] [tgz]
author	Edwin Wong <edwinwong@google.com>	Tue Nov 26 14:40:45 2019 -0800
committer	Anis Assi <anisassi@google.com>	Thu Feb 06 15:18:05 2020 -0800
tree	bd44d2226761645428a4472a8bb62ce363e472f8
parent	e79a0716216edade8100dd4d6b05a69e80ce25ed [diff]