Fix potential decrypt src pointer overflow. am: c14f262876 am: 107233b3dd am: e289b4aa83 am: 92d4d99b98 am: c5f312b883 Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/interfaces/+/13472562 MUST ONLY BE SUBMITTED BY AUTOMERGER Change-Id: Idb2e36a8815a0de2a769a330def6bb6c0d22383d

commit: 5cf2c6caf68b8e774cff70e8d80b94b79f2fc7f2 [log] [tgz]
author: Edwin Wong <edwinwong@google.com> Thu Feb 04 01:57:50 2021 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Thu Feb 04 01:57:50 2021 +0000
tree: 4ac1dff5ccc9dbb43331b06e3b7ee7da004cb49d
parent: dbdfdc85c82c204c028bbfdf2270e296c9595998 [diff]
parent: c5f312b8837b5a9482239cf77f96cdc63884a344 [diff]
diff --git a/drm/1.0/default/CryptoPlugin.cpp b/drm/1.0/default/CryptoPlugin.cpp
index 2db3607..e6d4e84 100644
--- a/drm/1.0/default/CryptoPlugin.cpp
+++ b/drm/1.0/default/CryptoPlugin.cpp

@@ -124,7 +124,11 @@
             return Void();
         }
 
-        if (source.offset + offset + source.size > sourceBase->getSize()) {
+        size_t totalSize = 0;
+        if (__builtin_add_overflow(source.offset, offset, &totalSize) ||
+            __builtin_add_overflow(totalSize, source.size, &totalSize) ||
+            totalSize > sourceBase->getSize()) {
+            android_errorWriteLog(0x534e4554, "176496160");
             _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size");
             return Void();
         }
commit	5cf2c6caf68b8e774cff70e8d80b94b79f2fc7f2	[log] [tgz]
author	Edwin Wong <edwinwong@google.com>	Thu Feb 04 01:57:50 2021 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	Thu Feb 04 01:57:50 2021 +0000
tree	4ac1dff5ccc9dbb43331b06e3b7ee7da004cb49d
parent	dbdfdc85c82c204c028bbfdf2270e296c9595998 [diff]
parent	c5f312b8837b5a9482239cf77f96cdc63884a344 [diff]