Merge "[RESTRICT AUTOMERGE] Fix potential decrypt destPtr overflow." into qt-dev

author: Edwin Wong <edwinwong@google.com> 2021-03-10 19:00:01 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> 2021-03-10 19:00:01 +0000
commit: 7df29ccb132cdec678b172f2c3b9cdefb30b7027 (patch)
tree: 20d684324f7d26d3048de1ebf6dcdb3c2e0049f6
parent: 50fd22f3d7eaf0b8dba49e88e1feb6aa99005cff (diff)
parent: 3c9044cdef93c7c611118424f31448d618cc9da3 (diff)
1 files changed, 5 insertions, 3 deletions
diff --git a/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp b/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp
index d278633482..005e551383 100644
--- a/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp
+++ b/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp
@@ -142,12 +142,14 @@ Return<void> CryptoPlugin::decrypt_1_2(
 
     base = static_cast<uint8_t *>(static_cast<void *>(destBase->getPointer()));
 
-    if (destBuffer.offset + destBuffer.size > destBase->getSize()) {
+    totalSize = 0;
+    if (__builtin_add_overflow(destBuffer.offset, destBuffer.size, &totalSize) ||
+        totalSize > destBase->getSize()) {
+        android_errorWriteLog(0x534e4554, "176444622");
         _hidl_cb(Status_V1_2::ERROR_DRM_FRAME_TOO_LARGE, 0, "invalid buffer size");
         return Void();
     }
-    destPtr = static_cast<void *>(base + destination.nonsecureMemory.offset);
-
+    destPtr = static_cast<void*>(base + destination.nonsecureMemory.offset);
 
     // Calculate the output buffer size and determine if any subsamples are
     // encrypted.
author	Edwin Wong <edwinwong@google.com>	2021-03-10 19:00:01 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	2021-03-10 19:00:01 +0000
commit	7df29ccb132cdec678b172f2c3b9cdefb30b7027 (patch)
tree	20d684324f7d26d3048de1ebf6dcdb3c2e0049f6
parent	50fd22f3d7eaf0b8dba49e88e1feb6aa99005cff (diff)
parent	3c9044cdef93c7c611118424f31448d618cc9da3 (diff)