summaryrefslogtreecommitdiffstats
path: root/media/libmedia
diff options
context:
space:
mode:
authorJeff Tinker <jtinker@google.com>2015-08-28 23:34:26 +0000
committerAndroid (Google) Code Review <android-gerrit@google.com>2015-08-28 23:34:26 +0000
commit389e765394a950b9697bba49c1998f2029bd58b4 (patch)
treef57da5502325837589b12f16af40f55de98b3ff7 /media/libmedia
parent909318b3c7e5d80c8a79f8a37200e797a287c061 (diff)
parentc6fc6a3ca618b0e72ee565ded2e4960797f53fa6 (diff)
downloadframeworks_av-389e765394a950b9697bba49c1998f2029bd58b4.zip
frameworks_av-389e765394a950b9697bba49c1998f2029bd58b4.tar.gz
frameworks_av-389e765394a950b9697bba49c1998f2029bd58b4.tar.bz2
Merge "Fix for security vulnerability in media server" into mnc-dev
Diffstat (limited to 'media/libmedia')
-rw-r--r--media/libmedia/ICrypto.cpp20
1 files changed, 19 insertions, 1 deletions
diff --git a/media/libmedia/ICrypto.cpp b/media/libmedia/ICrypto.cpp
index 947294f..9703b0d 100644
--- a/media/libmedia/ICrypto.cpp
+++ b/media/libmedia/ICrypto.cpp
@@ -303,7 +303,25 @@ status_t BnCrypto::onTransact(
AString errorDetailMsg;
ssize_t result;
- if (offset + totalSize > sharedBuffer->size()) {
+ size_t sumSubsampleSizes = 0;
+ bool overflow = false;
+ for (int32_t i = 0; i < numSubSamples; ++i) {
+ CryptoPlugin::SubSample &ss = subSamples[i];
+ if (sumSubsampleSizes <= SIZE_MAX - ss.mNumBytesOfEncryptedData) {
+ sumSubsampleSizes += ss.mNumBytesOfEncryptedData;
+ } else {
+ overflow = true;
+ }
+ if (sumSubsampleSizes <= SIZE_MAX - ss.mNumBytesOfClearData) {
+ sumSubsampleSizes += ss.mNumBytesOfClearData;
+ } else {
+ overflow = true;
+ }
+ }
+
+ if (overflow || sumSubsampleSizes != totalSize) {
+ result = -EINVAL;
+ } else if (offset + totalSize > sharedBuffer->size()) {
result = -EINVAL;
} else {
result = decrypt(
generated by cgit v1.1 at 2024-05-03 05:33:04 +0000