diff options
author | Robert Shih <robertshih@google.com> | 2019-09-11 21:32:09 -0700 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2019-09-11 21:32:09 -0700 |
commit | c1d79c818293d05661bf1ff479ccd4b0722c7e15 (patch) | |
tree | 2d2bec48ee9eed892ec8de6839fc82205582a0ef | |
parent | 521f845b172c9df6f2d407f6b3fcaec48a20cf97 (diff) | |
parent | 4d3b73ee5e72070af8352bb59f1ab2b8e89b3f73 (diff) | |
download | android_hardware_interfaces-c1d79c818293d05661bf1ff479ccd4b0722c7e15.tar.gz android_hardware_interfaces-c1d79c818293d05661bf1ff479ccd4b0722c7e15.tar.bz2 android_hardware_interfaces-c1d79c818293d05661bf1ff479ccd4b0722c7e15.zip |
default hidl CryptoPlugin: security fixes am: 1e18883b72 am: 02ef6a6283
am: 4d3b73ee5e
Change-Id: I9a6dea5a04e2119954936501913d073c0d781bac
-rw-r--r-- | drm/1.0/default/CryptoPlugin.cpp | 30 |
1 files changed, 26 insertions, 4 deletions
diff --git a/drm/1.0/default/CryptoPlugin.cpp b/drm/1.0/default/CryptoPlugin.cpp index 666653b26..8ddc38022 100644 --- a/drm/1.0/default/CryptoPlugin.cpp +++ b/drm/1.0/default/CryptoPlugin.cpp @@ -101,11 +101,20 @@ namespace implementation { std::unique_ptr<android::CryptoPlugin::SubSample[]> legacySubSamples = std::make_unique<android::CryptoPlugin::SubSample[]>(subSamples.size()); + size_t destSize = 0; for (size_t i = 0; i < subSamples.size(); i++) { - legacySubSamples[i].mNumBytesOfClearData - = subSamples[i].numBytesOfClearData; - legacySubSamples[i].mNumBytesOfEncryptedData - = subSamples[i].numBytesOfEncryptedData; + uint32_t numBytesOfClearData = subSamples[i].numBytesOfClearData; + legacySubSamples[i].mNumBytesOfClearData = numBytesOfClearData; + uint32_t numBytesOfEncryptedData = subSamples[i].numBytesOfEncryptedData; + legacySubSamples[i].mNumBytesOfEncryptedData = numBytesOfEncryptedData; + if (__builtin_add_overflow(destSize, numBytesOfClearData, &destSize)) { + _hidl_cb(Status::BAD_VALUE, 0, "subsample clear size overflow"); + return Void(); + } + if (__builtin_add_overflow(destSize, numBytesOfEncryptedData, &destSize)) { + _hidl_cb(Status::BAD_VALUE, 0, "subsample encrypted size overflow"); + return Void(); + } } AString detailMessage; @@ -137,11 +146,24 @@ namespace implementation { _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size"); return Void(); } + + if (destSize > destBuffer.size) { + _hidl_cb(Status::BAD_VALUE, 0, "subsample sum too large"); + return Void(); + } + destPtr = static_cast<void *>(base + destination.nonsecureMemory.offset); } else if (destination.type == BufferType::NATIVE_HANDLE) { + if (!secure) { + _hidl_cb(Status::BAD_VALUE, 0, "native handle destination must be secure"); + return Void(); + } native_handle_t *handle = const_cast<native_handle_t *>( destination.secureMemory.getNativeHandle()); destPtr = static_cast<void *>(handle); + } else { + _hidl_cb(Status::BAD_VALUE, 0, "invalid destination type"); + return Void(); } ssize_t result = mLegacyPlugin->decrypt(secure, keyId.data(), iv.data(), legacyMode, legacyPattern, srcPtr, legacySubSamples.get(), |