From 7b461b52966265b7b55f723c22fa02fac32a8709 Mon Sep 17 00:00:00 2001
From: Jeff Tinker <jtinker@google.com>
Date: Fri, 4 Dec 2015 16:29:16 -0800
Subject: Fix security vulnerability in ICrypto DO NOT MERGE

b/25800375

Change-Id: I03c9395f7c7de4ac5813a1207452aac57aa39484
---
 media/libmedia/ICrypto.cpp | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'media/libmedia')

diff --git a/media/libmedia/ICrypto.cpp b/media/libmedia/ICrypto.cpp
index a398ff7..22f8af7 100644
--- a/media/libmedia/ICrypto.cpp
+++ b/media/libmedia/ICrypto.cpp
@@ -321,7 +321,9 @@ status_t BnCrypto::onTransact(
 
             if (overflow || sumSubsampleSizes != totalSize) {
                 result = -EINVAL;
-            } else if (offset + totalSize > sharedBuffer->size()) {
+            } else if (totalSize > sharedBuffer->size()) {
+                result = -EINVAL;
+            } else if ((size_t)offset > sharedBuffer->size() - totalSize) {
                 result = -EINVAL;
             } else {
                 result = decrypt(
-- 
cgit v1.1