default hidl CryptoPlugin: security fixes [RESTRICT AUTOMERGE]

* reject native handle output for clearkey * validate subsample sizes Bug: 137370777 Test: cryptopoc Change-Id: I2a81f2a00ebf7954b16fb10d2af586ce0da801ed
author: Robert Shih <robertshih@google.com> 2019-09-11 14:10:14 -0700
committer: Robert Shih <robertshih@google.com> 2019-09-11 22:08:28 +0000
commit: d22f1447fe2fc10dbf45bde6fb4a7cb6f7a8a7ca (patch)
tree: 30f55d549dc4ae79865138271c985ad17dec2d56 /drm/1.0/default/CryptoPlugin.cpp
parent: d660d03f7cd451e834ba278c70b6809b704b7c13 (diff)
1 files changed, 31 insertions, 4 deletions
diff --git a/drm/1.0/default/CryptoPlugin.cpp b/drm/1.0/default/CryptoPlugin.cpp
index 591861aeec..6626c0172f 100644
--- a/drm/1.0/default/CryptoPlugin.cpp
+++ b/drm/1.0/default/CryptoPlugin.cpp
@@ -98,11 +98,22 @@ namespace implementation {
         android::CryptoPlugin::SubSample *legacySubSamples =
             new android::CryptoPlugin::SubSample[subSamples.size()];
 
+        size_t destSize = 0;
         for (size_t i = 0; i < subSamples.size(); i++) {
-            legacySubSamples[i].mNumBytesOfClearData
-                = subSamples[i].numBytesOfClearData;
-            legacySubSamples[i].mNumBytesOfEncryptedData
-                = subSamples[i].numBytesOfEncryptedData;
+            uint32_t numBytesOfClearData = subSamples[i].numBytesOfClearData;
+            legacySubSamples[i].mNumBytesOfClearData = numBytesOfClearData;
+            uint32_t numBytesOfEncryptedData = subSamples[i].numBytesOfEncryptedData;
+            legacySubSamples[i].mNumBytesOfEncryptedData = numBytesOfEncryptedData;
+            if (__builtin_add_overflow(destSize, numBytesOfClearData, &destSize)) {
+                delete[] legacySubSamples;
+                _hidl_cb(Status::BAD_VALUE, 0, "subsample clear size overflow");
+                return Void();
+            }
+            if (__builtin_add_overflow(destSize, numBytesOfEncryptedData, &destSize)) {
+                delete[] legacySubSamples;
+                _hidl_cb(Status::BAD_VALUE, 0, "subsample encrypted size overflow");
+                return Void();
+            }
         }
 
         AString detailMessage;
@@ -125,11 +136,27 @@ namespace implementation {
                 _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size");
                 return Void();
             }
+
+            if (destSize > destBuffer.size) {
+                delete[] legacySubSamples;
+                _hidl_cb(Status::BAD_VALUE, 0, "subsample sum too large");
+                return Void();
+            }
+
             destPtr = static_cast<void *>(base + destination.nonsecureMemory.offset);
         } else if (destination.type == BufferType::NATIVE_HANDLE) {
+            if (!secure) {
+                delete[] legacySubSamples;
+                _hidl_cb(Status::BAD_VALUE, 0, "native handle destination must be secure");
+                return Void();
+            }
             native_handle_t *handle = const_cast<native_handle_t *>(
                     destination.secureMemory.getNativeHandle());
             destPtr = static_cast<void *>(handle);
+        } else {
+            delete[] legacySubSamples;
+            _hidl_cb(Status::BAD_VALUE, 0, "invalid destination type");
+            return Void();
         }
         ssize_t result = mLegacyPlugin->decrypt(secure, keyId.data(), iv.data(),
                 legacyMode, legacyPattern, srcPtr, legacySubSamples,
author	Robert Shih <robertshih@google.com>	2019-09-11 14:10:14 -0700
committer	Robert Shih <robertshih@google.com>	2019-09-11 22:08:28 +0000
commit	d22f1447fe2fc10dbf45bde6fb4a7cb6f7a8a7ca (patch)
tree	30f55d549dc4ae79865138271c985ad17dec2d56 /drm/1.0/default/CryptoPlugin.cpp
parent	d660d03f7cd451e834ba278c70b6809b704b7c13 (diff)