diff options
| author | Kevin F. Haggerty <haggertk@lineageos.org> | 2021-04-06 09:15:26 -0600 |
|---|---|---|
| committer | Kevin F. Haggerty <haggertk@lineageos.org> | 2021-04-06 09:15:26 -0600 |
| commit | 792bc9a6352e80691e1f0b4d2e2721db4f3787c8 (patch) | |
| tree | 909a53929aea8bf8c38ffe2a9d2821eb879286be | |
| parent | 848ad2654b18abab9434890aa93bc2d82b0c6937 (diff) | |
| parent | 0025b6914b936cbecfe9a8527e0bfd1ab9c83b51 (diff) | |
Merge tag 'android-11.0.0_r34' into staging/lineage-18.1_merge-android-11.0.0_r34
Android 11.0.0 release 34
* tag 'android-11.0.0_r34':
Fix double free of play policy in a race condition.
Fix potential decrypt src pointer overflow.
Change-Id: Ia4d094e00e6b71ce3477cf99e63c72223fe77fef
5 files changed, 9 insertions, 1 deletions
diff --git a/drm/mediadrm/plugins/clearkey/default/DrmPlugin.cpp b/drm/mediadrm/plugins/clearkey/default/DrmPlugin.cpp index 1b8b8c1e65..6ac3510c7c 100644 --- a/drm/mediadrm/plugins/clearkey/default/DrmPlugin.cpp +++ b/drm/mediadrm/plugins/clearkey/default/DrmPlugin.cpp @@ -109,6 +109,7 @@ status_t DrmPlugin::getKeyRequest( } void DrmPlugin::setPlayPolicy() { + android::Mutex::Autolock lock(mPlayPolicyLock); mPlayPolicy.clear(); mPlayPolicy.add(kQueryKeyLicenseType, kStreaming); mPlayPolicy.add(kQueryKeyPlayAllowed, kTrue); diff --git a/drm/mediadrm/plugins/clearkey/default/include/DrmPlugin.h b/drm/mediadrm/plugins/clearkey/default/include/DrmPlugin.h index 4fa42e50af..aa9b59ddbb 100644 --- a/drm/mediadrm/plugins/clearkey/default/include/DrmPlugin.h +++ b/drm/mediadrm/plugins/clearkey/default/include/DrmPlugin.h @@ -262,6 +262,7 @@ private: void initProperties(); void setPlayPolicy(); + android::Mutex mPlayPolicyLock; android::KeyedVector<String8, String8> mPlayPolicy; android::KeyedVector<String8, String8> mStringProperties; android::KeyedVector<String8, Vector<uint8_t>> mByteArrayProperties; diff --git a/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp b/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp index 1495703012..d278633482 100644 --- a/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp +++ b/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp @@ -119,7 +119,11 @@ Return<void> CryptoPlugin::decrypt_1_2( return Void(); } - if (source.offset + offset + source.size > sourceBase->getSize()) { + size_t totalSize = 0; + if (__builtin_add_overflow(source.offset, offset, &totalSize) || + __builtin_add_overflow(totalSize, source.size, &totalSize) || + totalSize > sourceBase->getSize()) { + android_errorWriteLog(0x534e4554, "176496160"); _hidl_cb(Status_V1_2::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size"); return Void(); } diff --git a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp index f87f83025c..a77759eaef 100644 --- a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp +++ b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp @@ -304,6 +304,7 @@ Return<void> DrmPlugin::getKeyRequest_1_2( } void DrmPlugin::setPlayPolicy() { + android::Mutex::Autolock lock(mPlayPolicyLock); mPlayPolicy.clear(); KeyValue policy; diff --git a/drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h b/drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h index 3de758945b..076beb8a0d 100644 --- a/drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h +++ b/drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h @@ -406,6 +406,7 @@ private: int64_t mCloseSessionOkCount; int64_t mCloseSessionNotOpenedCount; uint32_t mNextSecureStopId; + android::Mutex mPlayPolicyLock; // set by property to mock error scenarios Status_V1_2 mMockError; |