OSDN > Find Software > System > OS distribution > Live CD > Android-x86 > SCM > git > frameworks-av > Commit

Android-x86
Fork
external-gbm_gralloc
hardware-powerbtnd
hardware-intel-libva
manifest
device-generic-x86_64
device-generic-common
system-bt
hardware-intel-intel-driver
external-bluetooth-bluedroid
build
device-generic-x86
packages-apps-Camera2
device-viewsonic-viewpad10
packages-apps-Taskbar
packages-apps-Gallery2
system-media
hardware-intel-common-libva
external-vboxguest-linux-modules
system-netd
hardware-intel-common-vaapi
external-swiftshader
external-efibootmgr
device-generic-openthos
packages-apps-Settings
hardware-ril
packages-apps-CMFileManager
packages-apps-Eleven
external-toybox
external-drm_hwcomposer
hardware-libhardware_legacy
system-extras
hardware-libsensors
hardware-liblights
hardware-broadcom-libbt
packages-apps-TSCalibration2
system-core
packages-apps-Bluetooth
device-generic-firmware
device-generic-goldfish
external-s2tc
device-asus
device-amd
device-common
device-hp-tx2500
device-ibm-thinkpad
device-lenovo-s103t
device-tegatech-tegav2
external-srec
external-webkit
external-wpa_supplicant_6
packages-apps-AndroidTerm
packages-apps-FileManager
external-tslib
external-modules-rtl8723au
packages-inputmethods-PinyinIME
sdk
system-bluetooth
hardware-alsa_sound
device-asus-laptop
device-amd-persimmon
development
device-dell-sparta
device-vm-vm
hardware-wacom-input
libcore
packages-apps-Browser
packages-apps-Camera
prebuilt
device-motion-m1400
device-viliv-s5
packages-apps-Superuser
device-asus-eeepc
device-generic-goldfish-opengl
external-mplayer
external-wpa_supplicant
frameworks-policies-base
ndk
packages-apps-Calendar
packages-apps-ConnectBot
packages-apps-Contacts
packages-apps-DeskClock
packages-apps-LIME
packages-apps-Music
packages-providers-DownloadProvider
packages-wallpapers-Basic
packages-wallpapers-MagicSmoke
packages-wallpapers-MusicVisualization
packages-providers-ImProvider
packages-apps-AlarmClock
packages-apps-IM
packages-apps-Launcher
packages-apps-SoundRecorder
external-opencore
vendor-intel-houdini
vendor-samsung-q1u
external-dhcpcd
hardware-menlow-psb
hardware-menlow-ioport
push
external-eject
external-v86d
external-koush-Superuser
external-koush-Widgets
frameworks-native
external-libpciaccess
external-bluetooth-bluez
external-libtruezip
external-stagefright-plugins
external-ntfs-3g
external-parted
hardware-intel-hwcomposer
external-mesa
external-ffmpeg
external-llvm
external-libdrm
external-e2fsprogs
external-bluetooth-glib
hardware-broadcom-wlan
external-drm_gralloc
hardware-gps
external-busybox
kernel
external-alsa-lib
external-alsa-utils
system-vold
frameworks-base
frameworks-av
external-bluetooth-sbc
packages-apps-Trebuchet
dalvik
hardware-x86power
packages-services-Analytics
external-ppp
packages-apps-Launcher3
external-wpa_supplicant_8
hardware-intel-audio_media
hardware-intel-libsensors
hardware-libaudio
hardware-libcamera
external-googleanalytics
hardware-libhardware
hardware-interfaces
bootable-newinstaller
art
external-efivar
hardware-memtrack
system-connectivity-wificond
bionic
external-kernel-drivers
external-drm_framebuffer
external-exfat
external-openssh
external-wireless-tools
external-mksh
external-libffi
external-musl-libc
system-hardware-interfaces
external-minigbm
external-IA-Hardware-Composer
external-drmfb-composer
external-alsa-ucm-conf
external-libncurses
external-llvm-project
system-linkerconfig
Donation

R/O
HTTP
SSH
HTTPS

frameworks-av: Commit

frameworks/av

Commit MetaInfo

Revision	ba91a998f4bc0c69650954bfcd85cbc27afb1d41 (tree)
Time	2018-01-14 05:37:30
Author	Edwin Wong <edwinwong@goog...>
Commiter	Moritz Horstmann

Log Message

Validate decryption key length to decrypt function.

Cherry picked from http://go/ag/3038278.

AesCtrDecryptor::decrypt() doesn't check whether the size of "key"
is equal to 16 bytes, which may lead to an OOB read problem in the
context of mediadrmserver.

Add DecryptsWithEmptyKey and DecryptsWithKeyTooLong unit tests.

Test: ClearKeyDrmUnitTest

adb shell LD_LIBRARY_PATH="/vendor/lib/mediadrm"
/data/nativetest/ClearKeyDrmUnitTest/ClearKeyDrmUnitTest

bug: 63982768
Change-Id: I1f22c9df2b051972b2c532608b7f203e3ce77926
(cherry picked from commit 379b672b189aa72ce0103b485019022f3e292c36)

Change Summary

modified: drm/mediadrm/plugins/clearkey/AesCtrDecryptor.cpp (diff)
modified: drm/mediadrm/plugins/clearkey/AesCtrDecryptor.h (diff)
modified: drm/mediadrm/plugins/clearkey/tests/AesCtrDecryptorUnittest.cpp (diff)

Incremental Difference

--- a/drm/mediadrm/plugins/clearkey/AesCtrDecryptor.cpp

+++ b/drm/mediadrm/plugins/clearkey/AesCtrDecryptor.cpp

		@@ -36,6 +36,11 @@ android::status_t AesCtrDecryptor::decrypt(const android::Vector<uint8_t>& key,
36	36	uint8_t previousEncryptedCounter[kBlockSize];
37	37	memset(previousEncryptedCounter, 0, kBlockSize);
38	38
	39	+ if (key.size() != kBlockSize \|\| (sizeof(Iv) / sizeof(uint8_t)) != kBlockSize) {
	40	+ android_errorWriteLog(0x534e4554, "63982768");
	41	+ return android::ERROR_DRM_DECRYPT;
	42	+ }
	43	+
39	44	size_t offset = 0;
40	45	AES_KEY opensslKey;
41	46	AES_set_encrypt_key(key.array(), kBlockBitCount, &opensslKey);

--- a/drm/mediadrm/plugins/clearkey/AesCtrDecryptor.h

+++ b/drm/mediadrm/plugins/clearkey/AesCtrDecryptor.h

		@@ -18,6 +18,7 @@
18	18	#define CLEARKEY_AES_CTR_DECRYPTOR_H_
19	19
20	20	#include <media/stagefright/foundation/ABase.h>
	21	+#include <media/stagefright/MediaErrors.h>
21	22	#include <Utils.h>
22	23	#include <utils/Errors.h>
23	24	#include <utils/Vector.h>

--- a/drm/mediadrm/plugins/clearkey/tests/AesCtrDecryptorUnittest.cpp

+++ b/drm/mediadrm/plugins/clearkey/tests/AesCtrDecryptorUnittest.cpp

		@@ -34,7 +34,7 @@ class AesCtrDecryptorTest : public ::testing::Test {
34	34	uint8_t* destination, const SubSample* subSamples,
35	35	size_t numSubSamples, size_t* bytesDecryptedOut) {
36	36	Vector<uint8_t> keyVector;
37		- keyVector.appendArray(key, kBlockSize);
	37	+ keyVector.appendArray(key, sizeof(key) / sizeof(uint8_t));
38	38
39	39	AesCtrDecryptor decryptor;
40	40	return decryptor.decrypt(keyVector, iv, source, destination, subSamples,

		@@ -57,6 +57,67 @@ class AesCtrDecryptorTest : public ::testing::Test {
57	57	}
58	58	};
59	59
	60	+TEST_F(AesCtrDecryptorTest, DecryptsWithEmptyKey) {
	61	+ const size_t kTotalSize = 64;
	62	+ const size_t kNumSubsamples = 1;
	63	+
	64	+ // Test vectors from NIST-800-38A
	65	+ Iv iv = {
	66	+ 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
	67	+ 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
	68	+ };
	69	+
	70	+ uint8_t source[kTotalSize] = { 0 };
	71	+ uint8_t destination[kTotalSize] = { 0 };
	72	+ SubSample subSamples[kNumSubsamples] = {
	73	+ {0, 64}
	74	+ };
	75	+
	76	+ size_t bytesDecrypted = 0;
	77	+ Vector<uint8_t> keyVector;
	78	+ keyVector.clear();
	79	+
	80	+ AesCtrDecryptor decryptor;
	81	+ ASSERT_EQ(android::ERROR_DRM_DECRYPT, decryptor.decrypt(keyVector, iv,
	82	+ &source[0], &destination[0],
	83	+ &subSamples[0], kNumSubsamples, &bytesDecrypted));
	84	+ ASSERT_EQ(0u, bytesDecrypted);
	85	+}
	86	+
	87	+TEST_F(AesCtrDecryptorTest, DecryptsWithKeyTooLong) {
	88	+ const size_t kTotalSize = 64;
	89	+ const size_t kNumSubsamples = 1;
	90	+
	91	+ // Test vectors from NIST-800-38A
	92	+ uint8_t key[kBlockSize * 2] = {
	93	+ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
	94	+ 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c,
	95	+ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
	96	+ 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
	97	+ };
	98	+
	99	+ Iv iv = {
	100	+ 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
	101	+ 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
	102	+ };
	103	+
	104	+ uint8_t source[kTotalSize] = { 0 };
	105	+ uint8_t destination[kTotalSize] = { 0 };
	106	+ SubSample subSamples[kNumSubsamples] = {
	107	+ {0, 64}
	108	+ };
	109	+
	110	+ size_t bytesDecrypted = 0;
	111	+ Vector<uint8_t> keyVector;
	112	+ keyVector.appendArray(key, sizeof(key) / sizeof(uint8_t));
	113	+
	114	+ AesCtrDecryptor decryptor;
	115	+ ASSERT_EQ(android::ERROR_DRM_DECRYPT, decryptor.decrypt(keyVector, iv,
	116	+ &source[0], &destination[0],
	117	+ &subSamples[0], kNumSubsamples, &bytesDecrypted));
	118	+ ASSERT_EQ(0u, bytesDecrypted);
	119	+}
	120	+
60	121	TEST_F(AesCtrDecryptorTest, DecryptsContiguousEncryptedBlock) {
61	122	const size_t kTotalSize = 64;
62	123	const size_t kNumSubsamples = 1;

Show on old repository browser