summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEdwin Wong <edwinwong@google.com>2021-04-05 21:56:38 +0000
committerAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>2021-04-05 21:56:38 +0000
commit97a19d9428be4bf63d3e99eaa6f19ea0af4530f2 (patch)
tree5dc33909de5a521dc088f5fab42100d148a913e0
parent48132b70ae8a4d366a95d11cfe3549a5f6485698 (diff)
parent5b3fc84035a7e521135e85fd1764452a0eae1e8e (diff)
Merge "Fix potential decrypt destPtr overflow." into rvc-dev am: 5b3fc84035
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/13467358 Change-Id: Icdd26d85132711d859d328a0eb7334d7daa8dbe3
Diffstat
-rw-r--r--drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp8
1 files changed, 5 insertions, 3 deletions
diff --git a/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp b/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp
index d278633482..005e551383 100644
--- a/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp
+++ b/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp
@@ -142,12 +142,14 @@ Return<void> CryptoPlugin::decrypt_1_2(
base = static_cast<uint8_t *>(static_cast<void *>(destBase->getPointer()));
- if (destBuffer.offset + destBuffer.size > destBase->getSize()) {
+ totalSize = 0;
+ if (__builtin_add_overflow(destBuffer.offset, destBuffer.size, &totalSize) ||
+ totalSize > destBase->getSize()) {
+ android_errorWriteLog(0x534e4554, "176444622");
_hidl_cb(Status_V1_2::ERROR_DRM_FRAME_TOO_LARGE, 0, "invalid buffer size");
return Void();
}
- destPtr = static_cast<void *>(base + destination.nonsecureMemory.offset);
-
+ destPtr = static_cast<void*>(base + destination.nonsecureMemory.offset);
// Calculate the output buffer size and determine if any subsamples are
// encrypted.
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-03 04:54:20 +0000