tequilaOS/platform_hardware_interfaces
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "Fix potential decrypt destPtr overflow." into rvc-dev am: fc62c64de1 am: 2179627078

Browse source 
Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/interfaces/+/13467452

Change-Id: I781f2833cc0c4c062f35097f8c2860fac4820eba
This commit is contained in:
Edwin Wong 2021-04-05 22:37:14 +00:00 committed by Automerger Merge Worker
commit d39d06d99c
1 changed files with 6 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
drm/1.0/default/CryptoPlugin.cpp
View file

@ -79,7 +79,7 @@ namespace implementation {
} }
} }
android::CryptoPlugin::Mode legacyMode; android::CryptoPlugin::Mode legacyMode = android::CryptoPlugin::kMode_Unencrypted;
switch(mode) { switch(mode) {
case Mode::UNENCRYPTED: case Mode::UNENCRYPTED:
legacyMode = android::CryptoPlugin::kMode_Unencrypted; legacyMode = android::CryptoPlugin::kMode_Unencrypted;
@ -146,7 +146,10 @@ namespace implementation {
return Void(); return Void();
} }
if (destBuffer.offset + destBuffer.size > destBase->getSize()) { size_t totalSize = 0;
if (__builtin_add_overflow(destBuffer.offset, destBuffer.size, &totalSize) ||
totalSize > destBase->getSize()) {
android_errorWriteLog(0x534e4554, "176496353");
_hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size"); _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size");
return Void(); return Void();
} }
@ -157,7 +160,7 @@ namespace implementation {
} }
base = static_cast<uint8_t *>(static_cast<void *>(destBase->getPointer())); base = static_cast<uint8_t *>(static_cast<void *>(destBase->getPointer()));
destPtr = static_cast<void *>(base + destination.nonsecureMemory.offset); destPtr = static_cast<void*>(base + destination.nonsecureMemory.offset);
} else if (destination.type == BufferType::NATIVE_HANDLE) { } else if (destination.type == BufferType::NATIVE_HANDLE) {
if (!secure) { if (!secure) {
_hidl_cb(Status::BAD_VALUE, 0, "native handle destination must be secure"); _hidl_cb(Status::BAD_VALUE, 0, "native handle destination must be secure");