diff options
| author | Jeff Tinker <jtinker@google.com> | 2015-08-26 20:22:39 -0700 |
|---|---|---|
| committer | Jeff Tinker <jtinker@google.com> | 2015-08-27 15:23:03 -0700 |
| commit | c6fc6a3ca618b0e72ee565ded2e4960797f53fa6 (patch) | |
| tree | 400c0e8e818c0932d10a97308ff8f132e553e956 /media/libmedia | |
| parent | ed555d70d80964f40563d89a4e6d6a80f83f4b89 (diff) | |
| download | frameworks_av-c6fc6a3ca618b0e72ee565ded2e4960797f53fa6.zip frameworks_av-c6fc6a3ca618b0e72ee565ded2e4960797f53fa6.tar.gz frameworks_av-c6fc6a3ca618b0e72ee565ded2e4960797f53fa6.tar.bz2 | |
Fix for security vulnerability in media server
bug: 23540426
Change-Id: Ifb12ac3350410a49ba7d81d1bde12822c3008cd5
Diffstat (limited to 'media/libmedia')
| -rw-r--r-- | media/libmedia/ICrypto.cpp | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/media/libmedia/ICrypto.cpp b/media/libmedia/ICrypto.cpp index 947294f..9703b0d 100644 --- a/media/libmedia/ICrypto.cpp +++ b/media/libmedia/ICrypto.cpp @@ -303,7 +303,25 @@ status_t BnCrypto::onTransact( AString errorDetailMsg; ssize_t result; - if (offset + totalSize > sharedBuffer->size()) { + size_t sumSubsampleSizes = 0; + bool overflow = false; + for (int32_t i = 0; i < numSubSamples; ++i) { + CryptoPlugin::SubSample &ss = subSamples[i]; + if (sumSubsampleSizes <= SIZE_MAX - ss.mNumBytesOfEncryptedData) { + sumSubsampleSizes += ss.mNumBytesOfEncryptedData; + } else { + overflow = true; + } + if (sumSubsampleSizes <= SIZE_MAX - ss.mNumBytesOfClearData) { + sumSubsampleSizes += ss.mNumBytesOfClearData; + } else { + overflow = true; + } + } + + if (overflow || sumSubsampleSizes != totalSize) { + result = -EINVAL; + } else if (offset + totalSize > sharedBuffer->size()) { result = -EINVAL; } else { result = decrypt( |