Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1ac11129 authored by Jeff Tinker's avatar Jeff Tinker Committed by Android Git Automerger
Browse files

am d83f2255: am 99e63e75: Merge "Fix for security vulnerability in media... 

am d83f2255: am 99e63e75: Merge "Fix for security vulnerability in media server DO NOT MERGE" into lmp-dev

* commit 'd83f2255':
  Fix for security vulnerability in media server DO NOT MERGE
parents 3248baeb d83f2255

media/libmedia/ICrypto.cpp

+23 −1
Original line number Diff line number Diff line
@@ -265,7 +265,28 @@ status_t BnCrypto::onTransact( 
            }



            AString errorDetailMsg;

            ssize_t result = decrypt(

            ssize_t result;



            size_t sumSubsampleSizes = 0;

            bool overflow = false;

            for (int32_t i = 0; i < numSubSamples; ++i) {

                CryptoPlugin::SubSample &ss = subSamples[i];

                if (sumSubsampleSizes <= SIZE_MAX - ss.mNumBytesOfEncryptedData) {

                    sumSubsampleSizes += ss.mNumBytesOfEncryptedData;

                } else {

                    overflow = true;

                }

                if (sumSubsampleSizes <= SIZE_MAX - ss.mNumBytesOfClearData) {

                    sumSubsampleSizes += ss.mNumBytesOfClearData;

                } else {

                    overflow = true;

                }

            }



            if (overflow || sumSubsampleSizes != totalSize) {

                result = -EINVAL;

            } else {

                result = decrypt(

                    secure,

                    key,

                    iv,
@@ -274,6 +295,7 @@ status_t BnCrypto::onTransact( 
                    subSamples, numSubSamples,

                    secure ? secureBufferId : dstPtr,

                    &errorDetailMsg);

            }



            reply->writeInt32(result);