Merge "[RESTRICT AUTOMERGE] Fix CryptoPlugin use after free vulnerability." into oc-mr1-dev

commit: c73a52277fabf4fdf18b650237ea23c660f3fb4d [log] [tgz]
author: Edwin Wong <edwinwong@google.com> Tue Apr 06 22:27:14 2021 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> Tue Apr 06 22:27:14 2021 +0000
tree: fa0e99412a5bcbd3b7f452030cd6662c41a2b139
parent: d468101f149e30bc4ec5105555973d4ed8b4e009 [diff]
parent: 7e4c587ae32aca644254fa206de5131553975f4b [diff]
diff --git a/drm/1.0/default/CryptoPlugin.cpp b/drm/1.0/default/CryptoPlugin.cpp
index 74047ff..f23b8e3 100644
--- a/drm/1.0/default/CryptoPlugin.cpp
+++ b/drm/1.0/default/CryptoPlugin.cpp

@@ -151,7 +151,10 @@
                 return Void();
             }
 
-            if (destBuffer.offset + destBuffer.size > destBase->getSize()) {
+            size_t totalDstSize = 0;
+            if (__builtin_add_overflow(destBuffer.offset, destBuffer.size, &totalDstSize) ||
+                totalDstSize > destBase->getSize()) {
+                android_errorWriteLog(0x534e4554, "176496353");
                 _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size");
                 return Void();
             }
commit	c73a52277fabf4fdf18b650237ea23c660f3fb4d	[log] [tgz]
author	Edwin Wong <edwinwong@google.com>	Tue Apr 06 22:27:14 2021 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	Tue Apr 06 22:27:14 2021 +0000
tree	fa0e99412a5bcbd3b7f452030cd6662c41a2b139
parent	d468101f149e30bc4ec5105555973d4ed8b4e009 [diff]
parent	7e4c587ae32aca644254fa206de5131553975f4b [diff]