Snap for 7262953 from 2e13f4a3ec5fa24dd1efdad97efa1b2216f3cf22 to rvc-qpr3-release Change-Id: I3e799fefd4be4c43754add99d1ff80b6a3d5188e

commit: 08709ad6dc28aa96ccf77029739cf6deafb8b34b [log] [tgz]
author: android-build-team Robot <android-build-team-robot@google.com> Tue Apr 06 22:04:33 2021 +0000
committer: android-build-team Robot <android-build-team-robot@google.com> Tue Apr 06 22:04:33 2021 +0000
tree: 5dc33909de5a521dc088f5fab42100d148a913e0
parent: 6ab0fea9b07d52283a153dc4597453ff71c979ff [diff]
parent: 2e13f4a3ec5fa24dd1efdad97efa1b2216f3cf22 [diff]
diff --git a/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp b/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp
index d278633..005e551 100644
--- a/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp
+++ b/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp

@@ -142,12 +142,14 @@
 
     base = static_cast<uint8_t *>(static_cast<void *>(destBase->getPointer()));
 
-    if (destBuffer.offset + destBuffer.size > destBase->getSize()) {
+    totalSize = 0;
+    if (__builtin_add_overflow(destBuffer.offset, destBuffer.size, &totalSize) ||
+        totalSize > destBase->getSize()) {
+        android_errorWriteLog(0x534e4554, "176444622");
         _hidl_cb(Status_V1_2::ERROR_DRM_FRAME_TOO_LARGE, 0, "invalid buffer size");
         return Void();
     }
-    destPtr = static_cast<void *>(base + destination.nonsecureMemory.offset);
-
+    destPtr = static_cast<void*>(base + destination.nonsecureMemory.offset);
 
     // Calculate the output buffer size and determine if any subsamples are
     // encrypted.
commit	08709ad6dc28aa96ccf77029739cf6deafb8b34b	[log] [tgz]
author	android-build-team Robot <android-build-team-robot@google.com>	Tue Apr 06 22:04:33 2021 +0000
committer	android-build-team Robot <android-build-team-robot@google.com>	Tue Apr 06 22:04:33 2021 +0000
tree	5dc33909de5a521dc088f5fab42100d148a913e0
parent	6ab0fea9b07d52283a153dc4597453ff71c979ff [diff]
parent	2e13f4a3ec5fa24dd1efdad97efa1b2216f3cf22 [diff]