frameworks/av
| Revision | 8977f0e3aa98cbb8a6af34a429a7af5c3f8b144d (tree) |
|---|---|
| Time | 2015-09-29 08:27:49 |
| Author | Jeff Tinker <jtinker@goog...> |
| Commiter | The Android Automerger |
Fix for security vulnerability in media server DO NOT MERGE
bug: 23540426
Change-Id: I7ca419e4008967a0387649e5293ac9d4be71d3c4
media/libmedia/ICrypto.cpp (diff)| @@ -265,7 +265,28 @@ status_t BnCrypto::onTransact( | ||
| 265 | 265 | } |
| 266 | 266 | |
| 267 | 267 | AString errorDetailMsg; |
| 268 | - ssize_t result = decrypt( | |
| 268 | + ssize_t result; | |
| 269 | + | |
| 270 | + size_t sumSubsampleSizes = 0; | |
| 271 | + bool overflow = false; | |
| 272 | + for (int32_t i = 0; i < numSubSamples; ++i) { | |
| 273 | + CryptoPlugin::SubSample &ss = subSamples[i]; | |
| 274 | + if (sumSubsampleSizes <= SIZE_MAX - ss.mNumBytesOfEncryptedData) { | |
| 275 | + sumSubsampleSizes += ss.mNumBytesOfEncryptedData; | |
| 276 | + } else { | |
| 277 | + overflow = true; | |
| 278 | + } | |
| 279 | + if (sumSubsampleSizes <= SIZE_MAX - ss.mNumBytesOfClearData) { | |
| 280 | + sumSubsampleSizes += ss.mNumBytesOfClearData; | |
| 281 | + } else { | |
| 282 | + overflow = true; | |
| 283 | + } | |
| 284 | + } | |
| 285 | + | |
| 286 | + if (overflow || sumSubsampleSizes != totalSize) { | |
| 287 | + result = -EINVAL; | |
| 288 | + } else { | |
| 289 | + result = decrypt( | |
| 269 | 290 | secure, |
| 270 | 291 | key, |
| 271 | 292 | iv, |
| @@ -274,6 +295,7 @@ status_t BnCrypto::onTransact( | ||
| 274 | 295 | subSamples, numSubSamples, |
| 275 | 296 | secure ? secureBufferId : dstPtr, |
| 276 | 297 | &errorDetailMsg); |
| 298 | + } | |
| 277 | 299 | |
| 278 | 300 | reply->writeInt32(result); |
| 279 | 301 |
Fork