[DO NOT MERGE] Fix heap buffer overflow for releaseSecureStops. If the input SecureStopRelease size is less than sizeof(uint32_t) in releaseSecureStops(), an out of bound read will occur. bug: 144766455 bug: 144746235 bug: 147281068 Test: sts ANDROID_BUILD_TOP= ./android-sts/tools/sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Poc19_11#testPocBug_144766455 Change-Id: Ieccdd86ad86966fbf1dde70d3b3fb73d6dd124a4 (cherry picked from commit fa237c4f76b7b9369d9c499bfdc81e5072ddde86)

commit: fe8b9a7cb32f739e3855c51c8803590908a1da9c [log] [tgz]
author: Edwin Wong <edwinwong@google.com> Wed Nov 27 10:46:17 2019 -0800
committer: android-build-team Robot <android-build-team-robot@google.com> Tue Feb 11 19:06:46 2020 +0000
tree: 07acdca0ba7f6e53664f6676150302429eecc5f7
parent: a66592bf964df38810f7aa0eba490ab11984ec87 [diff]
diff --git a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp
index 71bb218..aab475e 100644
--- a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp
+++ b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp

@@ -818,6 +818,12 @@
     // and the drm service. The clearkey implementation consists of:
     //    count - number of secure stops
     //    list of fixed length secure stops
+    size_t countBufferSize = sizeof(uint32_t);
+    if (input.size() < countBufferSize) {
+        // SafetyNet logging
+        android_errorWriteLog(0x534e4554, "144766455");
+        return Status::BAD_VALUE;
+    }
     uint32_t count = 0;
     sscanf(reinterpret_cast<char*>(input.data()), "%04" PRIu32, &count);
commit	fe8b9a7cb32f739e3855c51c8803590908a1da9c	[log] [tgz]
author	Edwin Wong <edwinwong@google.com>	Wed Nov 27 10:46:17 2019 -0800
committer	android-build-team Robot <android-build-team-robot@google.com>	Tue Feb 11 19:06:46 2020 +0000
tree	07acdca0ba7f6e53664f6676150302429eecc5f7
parent	a66592bf964df38810f7aa0eba490ab11984ec87 [diff]