commit c99bf00d21254699aa10b4d0f66905e2450959b6
author Edwin Wong <edwinwong@google.com> Tue Apr 06 05:07:07 2021 +0000
committer Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Tue Apr 06 05:07:07 2021 +0000
tree f0524e64cddfe94ddc54f4156ba78c289c08a40b
parent 42d9f3f3fb7cda65ed6939da68a0fb40279b2393
parent b47d5de0daca7212cdc47fab3296ca3778b8e608

Merge "Fix potential decrypt destPtr overflow." into rvc-dev am: fc62c64de1 am: b47d5de0da

Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/interfaces/+/13467452

Change-Id: I5de5d9fd55c518b88c4eb7655bbd24e58c7c2f16

drm/1.0/default/CryptoPlugin.cpp

diff --git a/drm/1.0/default/CryptoPlugin.cpp b/drm/1.0/default/CryptoPlugin.cpp
index de8bbd5..8dea7e9 100644
--- a/drm/1.0/default/CryptoPlugin.cpp
+++ b/drm/1.0/default/CryptoPlugin.cpp
@@ -148,7 +148,10 @@
                 return Void();
             }
 
-            if (destBuffer.offset + destBuffer.size > destBase->getSize()) {
+            size_t totalSize = 0;
+            if (__builtin_add_overflow(destBuffer.offset, destBuffer.size, &totalSize) ||
+                totalSize > destBase->getSize()) {
+                android_errorWriteLog(0x534e4554, "176496353");
                 _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size");
                 return Void();
             }
@@ -159,7 +162,7 @@
             }
 
             base = static_cast<uint8_t *>(static_cast<void *>(destBase->getPointer()));
-            destPtr = static_cast<void *>(base + destination.nonsecureMemory.offset);
+            destPtr = static_cast<void*>(base + destination.nonsecureMemory.offset);
         } else if (destination.type == BufferType::NATIVE_HANDLE) {
             if (!secure) {
                 _hidl_cb(Status::BAD_VALUE, 0, "native handle destination must be secure");