summaryrefslogtreecommitdiffstats
path: root/drm
diff options
context:
space:
mode:
authorRobert Shih <robertshih@google.com>2019-09-11 21:09:00 -0700
committerandroid-build-merger <android-build-merger@google.com>2019-09-11 21:09:00 -0700
commit02ef6a6283a97b968ff0d7bfa1537f48e0565912 (patch)
tree2c556fb7c3ce4874df9481ccfee67b593388c172 /drm
parent955548eec17dd424123c81da35f01300c3511b2b (diff)
parent1e18883b72351531e4a11df49fffc0454e9108b8 (diff)
downloadandroid_hardware_interfaces-02ef6a6283a97b968ff0d7bfa1537f48e0565912.tar.gz
android_hardware_interfaces-02ef6a6283a97b968ff0d7bfa1537f48e0565912.tar.bz2
android_hardware_interfaces-02ef6a6283a97b968ff0d7bfa1537f48e0565912.zip
default hidl CryptoPlugin: security fixes
am: 1e18883b72 Change-Id: Ifbbc3cf6c827085046259365808d962ad192c55a
Diffstat (limited to 'drm')
-rw-r--r--drm/1.0/default/CryptoPlugin.cpp30
1 files changed, 26 insertions, 4 deletions
diff --git a/drm/1.0/default/CryptoPlugin.cpp b/drm/1.0/default/CryptoPlugin.cpp
index 666653b26..8ddc38022 100644
--- a/drm/1.0/default/CryptoPlugin.cpp
+++ b/drm/1.0/default/CryptoPlugin.cpp
@@ -101,11 +101,20 @@ namespace implementation {
std::unique_ptr<android::CryptoPlugin::SubSample[]> legacySubSamples =
std::make_unique<android::CryptoPlugin::SubSample[]>(subSamples.size());
+ size_t destSize = 0;
for (size_t i = 0; i < subSamples.size(); i++) {
- legacySubSamples[i].mNumBytesOfClearData
- = subSamples[i].numBytesOfClearData;
- legacySubSamples[i].mNumBytesOfEncryptedData
- = subSamples[i].numBytesOfEncryptedData;
+ uint32_t numBytesOfClearData = subSamples[i].numBytesOfClearData;
+ legacySubSamples[i].mNumBytesOfClearData = numBytesOfClearData;
+ uint32_t numBytesOfEncryptedData = subSamples[i].numBytesOfEncryptedData;
+ legacySubSamples[i].mNumBytesOfEncryptedData = numBytesOfEncryptedData;
+ if (__builtin_add_overflow(destSize, numBytesOfClearData, &destSize)) {
+ _hidl_cb(Status::BAD_VALUE, 0, "subsample clear size overflow");
+ return Void();
+ }
+ if (__builtin_add_overflow(destSize, numBytesOfEncryptedData, &destSize)) {
+ _hidl_cb(Status::BAD_VALUE, 0, "subsample encrypted size overflow");
+ return Void();
+ }
}
AString detailMessage;
@@ -137,11 +146,24 @@ namespace implementation {
_hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size");
return Void();
}
+
+ if (destSize > destBuffer.size) {
+ _hidl_cb(Status::BAD_VALUE, 0, "subsample sum too large");
+ return Void();
+ }
+
destPtr = static_cast<void *>(base + destination.nonsecureMemory.offset);
} else if (destination.type == BufferType::NATIVE_HANDLE) {
+ if (!secure) {
+ _hidl_cb(Status::BAD_VALUE, 0, "native handle destination must be secure");
+ return Void();
+ }
native_handle_t *handle = const_cast<native_handle_t *>(
destination.secureMemory.getNativeHandle());
destPtr = static_cast<void *>(handle);
+ } else {
+ _hidl_cb(Status::BAD_VALUE, 0, "invalid destination type");
+ return Void();
}
ssize_t result = mLegacyPlugin->decrypt(secure, keyId.data(), iv.data(),
legacyMode, legacyPattern, srcPtr, legacySubSamples.get(),