diff options
| author | Jeff Tinker <jtinker@google.com> | 2015-09-17 17:28:46 +0000 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2015-09-17 17:28:46 +0000 |
| commit | 52b829cbc2cb947733f312211a007ecd2f9fe96b (patch) | |
| tree | 2a8e238b2dbadc4525217e7656c4827bae4d354b /media | |
| parent | 190786d3590c6b064a7d32eaa92f4a7b11cf16d5 (diff) | |
| parent | f43125ed08a408b02613b99f058564d97ce690cc (diff) | |
| download | frameworks_av-52b829cbc2cb947733f312211a007ecd2f9fe96b.zip frameworks_av-52b829cbc2cb947733f312211a007ecd2f9fe96b.tar.gz frameworks_av-52b829cbc2cb947733f312211a007ecd2f9fe96b.tar.bz2 | |
am f43125ed: Merge "Fix for security vulnerability in media server DO NOT MERGE" into klp-dev
* commit 'f43125ed08a408b02613b99f058564d97ce690cc':
Fix for security vulnerability in media server DO NOT MERGE
Diffstat (limited to 'media')
| -rw-r--r-- | media/libmedia/ICrypto.cpp | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/media/libmedia/ICrypto.cpp b/media/libmedia/ICrypto.cpp index bff4639..2053c45 100644 --- a/media/libmedia/ICrypto.cpp +++ b/media/libmedia/ICrypto.cpp @@ -255,7 +255,28 @@ status_t BnCrypto::onTransact( } AString errorDetailMsg; - ssize_t result = decrypt( + ssize_t result; + + size_t sumSubsampleSizes = 0; + bool overflow = false; + for (int32_t i = 0; i < numSubSamples; ++i) { + CryptoPlugin::SubSample &ss = subSamples[i]; + if (sumSubsampleSizes <= SIZE_MAX - ss.mNumBytesOfEncryptedData) { + sumSubsampleSizes += ss.mNumBytesOfEncryptedData; + } else { + overflow = true; + } + if (sumSubsampleSizes <= SIZE_MAX - ss.mNumBytesOfClearData) { + sumSubsampleSizes += ss.mNumBytesOfClearData; + } else { + overflow = true; + } + } + + if (overflow || sumSubsampleSizes != totalSize) { + result = -EINVAL; + } else { + result = decrypt( secure, key, iv, @@ -264,6 +285,7 @@ status_t BnCrypto::onTransact( subSamples, numSubSamples, secure ? secureBufferId : dstPtr, &errorDetailMsg); + } reply->writeInt32(result); |