default hidl CryptoPlugin: security fixes

am: 1e18883b72 Change-Id: Ifbbc3cf6c827085046259365808d962ad192c55a
2019-09-11 21:09:00 -07:00 · 2019-09-11 21:09:00 -07:00 · 02ef6a6283
commit 02ef6a6283
parent 955548eec1 1e18883b72
1 changed files with 26 additions and 4 deletions
--- a/drm/1.0/default/CryptoPlugin.cpp
+++ b/drm/1.0/default/CryptoPlugin.cpp
@ -101,11 +101,20 @@ namespace implementation {
        std::unique_ptr<android::CryptoPlugin::SubSample[]> legacySubSamples =
                std::make_unique<android::CryptoPlugin::SubSample[]>(subSamples.size());

+        size_t destSize = 0;
        for (size_t i = 0; i < subSamples.size(); i++) {
-            legacySubSamples[i].mNumBytesOfClearData
-                = subSamples[i].numBytesOfClearData;
-            legacySubSamples[i].mNumBytesOfEncryptedData
-                = subSamples[i].numBytesOfEncryptedData;
+            uint32_t numBytesOfClearData = subSamples[i].numBytesOfClearData;
+            legacySubSamples[i].mNumBytesOfClearData = numBytesOfClearData;
+            uint32_t numBytesOfEncryptedData = subSamples[i].numBytesOfEncryptedData;
+            legacySubSamples[i].mNumBytesOfEncryptedData = numBytesOfEncryptedData;
+            if (__builtin_add_overflow(destSize, numBytesOfClearData, &destSize)) {
+                _hidl_cb(Status::BAD_VALUE, 0, "subsample clear size overflow");
+                return Void();
+            }
+            if (__builtin_add_overflow(destSize, numBytesOfEncryptedData, &destSize)) {
+                _hidl_cb(Status::BAD_VALUE, 0, "subsample encrypted size overflow");
+                return Void();
+            }
        }

        AString detailMessage;
@ -137,11 +146,24 @@ namespace implementation {
                _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size");
                return Void();
            }
+
+            if (destSize > destBuffer.size) {
+                _hidl_cb(Status::BAD_VALUE, 0, "subsample sum too large");
+                return Void();
+            }
+
            destPtr = static_cast<void *>(base + destination.nonsecureMemory.offset);
        } else if (destination.type == BufferType::NATIVE_HANDLE) {
+            if (!secure) {
+                _hidl_cb(Status::BAD_VALUE, 0, "native handle destination must be secure");
+                return Void();
+            }
            native_handle_t *handle = const_cast<native_handle_t *>(
                    destination.secureMemory.getNativeHandle());
            destPtr = static_cast<void *>(handle);
+        } else {
+            _hidl_cb(Status::BAD_VALUE, 0, "invalid destination type");
+            return Void();
        }
        ssize_t result = mLegacyPlugin->decrypt(secure, keyId.data(), iv.data(),
                legacyMode, legacyPattern, srcPtr, legacySubSamples.get(),