Google Git
Sign in
fuchsia / third_party / android / platform / hardware / interfaces / refs/heads/upstream/android10-c2f2-release^1..refs/heads/upstream/android10-c2f2-release / .
commit08039f1eb7e025c8202b209afa4c3aef5b7b8153[log] [tgz]
authorandroid-build-team Robot <android-build-team-robot@google.com>Fri Sep 20 02:18:47 2019 +0000
committerandroid-build-team Robot <android-build-team-robot@google.com>Fri Sep 20 02:18:47 2019 +0000
tree4c5522a9c3923fed307120267341b782f3e12848
parentedca537ed8f330c0683b689ff9042a866cc01e15 [diff]
parent7bbba83931f32582507392483cc697d9bdd22288 [diff]
Merge cherrypicks of [9426564, 9426565, 9426566, 9426567, 9425837, 9426546, 9426547, 9426663, 9425933, 9425934, 9425935, 9426621, 9426622, 9426548, 9426599, 9426920, 9426921, 9426922, 9426923, 9426924, 9426925, 9425775, 9425838, 9426623, 9426664, 9426665, 9426666, 9426667, 9426668, 9426669, 9426568, 9426569] into qt-c2f2-release

Change-Id: Ib9e3b6b87cf042e1d41c0aa693a662dfcf3f74a2

diff --git a/drm/1.0/default/CryptoPlugin.cpp b/drm/1.0/default/CryptoPlugin.cpp
index 666653b..8ddc380 100644
--- a/drm/1.0/default/CryptoPlugin.cpp
+++ b/drm/1.0/default/CryptoPlugin.cpp

@@ -101,11 +101,20 @@
         std::unique_ptr<android::CryptoPlugin::SubSample[]> legacySubSamples =
                 std::make_unique<android::CryptoPlugin::SubSample[]>(subSamples.size());
 
+        size_t destSize = 0;
         for (size_t i = 0; i < subSamples.size(); i++) {
-            legacySubSamples[i].mNumBytesOfClearData
-                = subSamples[i].numBytesOfClearData;
-            legacySubSamples[i].mNumBytesOfEncryptedData
-                = subSamples[i].numBytesOfEncryptedData;
+            uint32_t numBytesOfClearData = subSamples[i].numBytesOfClearData;
+            legacySubSamples[i].mNumBytesOfClearData = numBytesOfClearData;
+            uint32_t numBytesOfEncryptedData = subSamples[i].numBytesOfEncryptedData;
+            legacySubSamples[i].mNumBytesOfEncryptedData = numBytesOfEncryptedData;
+            if (__builtin_add_overflow(destSize, numBytesOfClearData, &destSize)) {
+                _hidl_cb(Status::BAD_VALUE, 0, "subsample clear size overflow");
+                return Void();
+            }
+            if (__builtin_add_overflow(destSize, numBytesOfEncryptedData, &destSize)) {
+                _hidl_cb(Status::BAD_VALUE, 0, "subsample encrypted size overflow");
+                return Void();
+            }
         }
 
         AString detailMessage;
@@ -137,11 +146,24 @@
                 _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size");
                 return Void();
             }
+
+            if (destSize > destBuffer.size) {
+                _hidl_cb(Status::BAD_VALUE, 0, "subsample sum too large");
+                return Void();
+            }
+
             destPtr = static_cast<void *>(base + destination.nonsecureMemory.offset);
         } else if (destination.type == BufferType::NATIVE_HANDLE) {
+            if (!secure) {
+                _hidl_cb(Status::BAD_VALUE, 0, "native handle destination must be secure");
+                return Void();
+            }
             native_handle_t *handle = const_cast<native_handle_t *>(
                     destination.secureMemory.getNativeHandle());
             destPtr = static_cast<void *>(handle);
+        } else {
+            _hidl_cb(Status::BAD_VALUE, 0, "invalid destination type");
+            return Void();
         }
         ssize_t result = mLegacyPlugin->decrypt(secure, keyId.data(), iv.data(),
                 legacyMode, legacyPattern, srcPtr, legacySubSamples.get(),