diff options
author | Kevin F. Haggerty <haggertk@lineageos.org> | 2019-11-11 19:42:20 -0700 |
---|---|---|
committer | Kevin F. Haggerty <haggertk@lineageos.org> | 2019-11-11 19:42:20 -0700 |
commit | fb53ac69f4d87f4a53e0a8c5416802bada0b1bfb (patch) | |
tree | 2f42eb401136ef8d200e4a3e95c9208ee33b3e58 | |
parent | 51e4f47a63bfb9e7f69f1fe0591af6c118315615 (diff) | |
parent | 60660693f45b15020b737a8621959f18693d3521 (diff) | |
download | frameworks_av-fb53ac69f4d87f4a53e0a8c5416802bada0b1bfb.tar.gz frameworks_av-fb53ac69f4d87f4a53e0a8c5416802bada0b1bfb.tar.bz2 frameworks_av-fb53ac69f4d87f4a53e0a8c5416802bada0b1bfb.zip |
Merge tag 'android-9.0.0_r50' into staging/lineage-16.0_merge-android-9.0.0_r50
Android 9.0.0 release 50
* tag 'android-9.0.0_r50':
[RESTRICT AUTOMERGE] clearkey hidl CryptoPlugin: security fixes
Change-Id: I5228b7b4a73a96cfafd7b09dd391b07a78ac27ec
-rw-r--r-- | drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp | 46 |
1 files changed, 28 insertions, 18 deletions
diff --git a/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp b/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp index f33f94e711..198e0997d0 100644 --- a/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp +++ b/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp @@ -77,6 +77,10 @@ Return<void> CryptoPlugin::decrypt( "destination decrypt buffer base not set"); return Void(); } + } else { + _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, + "destination type not supported"); + return Void(); } sp<IMemory> sourceBase = mSharedBufferMap[source.bufferId]; @@ -94,24 +98,19 @@ Return<void> CryptoPlugin::decrypt( (static_cast<void *>(sourceBase->getPointer())); uint8_t* srcPtr = static_cast<uint8_t *>(base + source.offset + offset); void* destPtr = NULL; - if (destination.type == BufferType::SHARED_MEMORY) { - const SharedBuffer& destBuffer = destination.nonsecureMemory; - sp<IMemory> destBase = mSharedBufferMap[destBuffer.bufferId]; - if (destBase == nullptr) { - _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "destination is a nullptr"); - return Void(); - } + // destination.type == BufferType::SHARED_MEMORY + const SharedBuffer& destBuffer = destination.nonsecureMemory; + sp<IMemory> destBase = mSharedBufferMap[destBuffer.bufferId]; + if (destBase == nullptr) { + _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "destination is a nullptr"); + return Void(); + } - if (destBuffer.offset + destBuffer.size > destBase->getSize()) { - _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size"); - return Void(); - } - destPtr = static_cast<void *>(base + destination.nonsecureMemory.offset); - } else if (destination.type == BufferType::NATIVE_HANDLE) { - native_handle_t *handle = const_cast<native_handle_t *>( - destination.secureMemory.getNativeHandle()); - destPtr = static_cast<void *>(handle); + if (destBuffer.offset + destBuffer.size > destBase->getSize()) { + _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size"); + return Void(); } + destPtr = static_cast<void *>(base + destination.nonsecureMemory.offset); // Calculate the output buffer size and determine if any subsamples are // encrypted. @@ -119,13 +118,24 @@ Return<void> CryptoPlugin::decrypt( bool haveEncryptedSubsamples = false; for (size_t i = 0; i < subSamples.size(); i++) { const SubSample &subSample = subSamples[i]; - destSize += subSample.numBytesOfClearData; - destSize += subSample.numBytesOfEncryptedData; + if (__builtin_add_overflow(destSize, subSample.numBytesOfClearData, &destSize)) { + _hidl_cb(Status::BAD_VALUE, 0, "subsample clear size overflow"); + return Void(); + } + if (__builtin_add_overflow(destSize, subSample.numBytesOfEncryptedData, &destSize)) { + _hidl_cb(Status::BAD_VALUE, 0, "subsample encrypted size overflow"); + return Void(); + } if (subSample.numBytesOfEncryptedData > 0) { haveEncryptedSubsamples = true; } } + if (destSize > destBuffer.size) { + _hidl_cb(Status::BAD_VALUE, 0, "subsample sum too large"); + return Void(); + } + if (mode == Mode::UNENCRYPTED) { if (haveEncryptedSubsamples) { _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, |