clearkey hidl: fix oob read in decrypt
Validate sum of subsample sizes do not overrun source buffer.
Bug: 154123412
Test: poc_CryptoPlugin_cpp_183
Test: MediaDrmClearkeyTest
Test: NativeMediaDrmClearkeyTest
Change-Id: I27b05479202e0caedfd052c683aa1ef187f65679
Merged-In: I27b05479202e0caedfd052c683aa1ef187f65679
(cherry picked from commit fa3781fe0fb654659634d7b4703b6ed2ae27fdeb)
diff --git a/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp b/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp
index cd2224d..a3f5bf5 100644
--- a/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp
+++ b/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp
@@ -117,14 +117,17 @@
// Calculate the output buffer size and determine if any subsamples are
// encrypted.
size_t destSize = 0;
+ size_t srcSize = 0;
bool haveEncryptedSubsamples = false;
for (size_t i = 0; i < subSamples.size(); i++) {
const SubSample &subSample = subSamples[i];
- if (__builtin_add_overflow(destSize, subSample.numBytesOfClearData, &destSize)) {
+ if (__builtin_add_overflow(destSize, subSample.numBytesOfClearData, &destSize) ||
+ __builtin_add_overflow(srcSize, subSample.numBytesOfClearData, &srcSize)) {
_hidl_cb(Status::BAD_VALUE, 0, "subsample clear size overflow");
return Void();
}
- if (__builtin_add_overflow(destSize, subSample.numBytesOfEncryptedData, &destSize)) {
+ if (__builtin_add_overflow(destSize, subSample.numBytesOfEncryptedData, &destSize) ||
+ __builtin_add_overflow(srcSize, subSample.numBytesOfEncryptedData, &srcSize)) {
_hidl_cb(Status::BAD_VALUE, 0, "subsample encrypted size overflow");
return Void();
}
@@ -133,7 +136,7 @@
}
}
- if (destSize > destBuffer.size) {
+ if (destSize > destBuffer.size || srcSize > source.size) {
_hidl_cb(Status::BAD_VALUE, 0, "subsample sum too large");
return Void();
}
