Merge "Fix security vulnerability in ICrypto DO NOT MERGE" into mnc-dev

am: 89bec04cf8 * commit '89bec04cf83598b1868f3f969c220c3200028e03': Fix security vulnerability in ICrypto DO NOT MERGE
author: Jeff Tinker <jtinker@google.com> 2015-12-09 16:39:23 -0800
committer: android-build-merger <android-build-merger@google.com> 2015-12-09 16:39:23 -0800
commit: f797a48b4ceaef56402ecd942ccdebab394daad0 (patch)
tree: 254bb9ca2be0ce5a2fe7fab96181ac15249e741d /media
parent: 3cb2e6732f6d7113435443b10fbe9e3ca8e792bb (diff)
parent: 89bec04cf83598b1868f3f969c220c3200028e03 (diff)
download: frameworks_av-f797a48b4ceaef56402ecd942ccdebab394daad0.zip
frameworks_av-f797a48b4ceaef56402ecd942ccdebab394daad0.tar.gz
frameworks_av-f797a48b4ceaef56402ecd942ccdebab394daad0.tar.bz2
1 files changed, 3 insertions, 1 deletions
diff --git a/media/libmedia/ICrypto.cpp b/media/libmedia/ICrypto.cpp
index a398ff7..22f8af7 100644
--- a/media/libmedia/ICrypto.cpp
+++ b/media/libmedia/ICrypto.cpp
@@ -321,7 +321,9 @@ status_t BnCrypto::onTransact(
 
             if (overflow || sumSubsampleSizes != totalSize) {
                 result = -EINVAL;
-            } else if (offset + totalSize > sharedBuffer->size()) {
+            } else if (totalSize > sharedBuffer->size()) {
+                result = -EINVAL;
+            } else if ((size_t)offset > sharedBuffer->size() - totalSize) {
                 result = -EINVAL;
             } else {
                 result = decrypt(
author	Jeff Tinker <jtinker@google.com>	2015-12-09 16:39:23 -0800
committer	android-build-merger <android-build-merger@google.com>	2015-12-09 16:39:23 -0800
commit	f797a48b4ceaef56402ecd942ccdebab394daad0 (patch)
tree	254bb9ca2be0ce5a2fe7fab96181ac15249e741d /media
parent	3cb2e6732f6d7113435443b10fbe9e3ca8e792bb (diff)
parent	89bec04cf83598b1868f3f969c220c3200028e03 (diff)
download	frameworks_av-f797a48b4ceaef56402ecd942ccdebab394daad0.zip frameworks_av-f797a48b4ceaef56402ecd942ccdebab394daad0.tar.gz frameworks_av-f797a48b4ceaef56402ecd942ccdebab394daad0.tar.bz2