Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5ce45a25 authored by Jeff Tinker's avatar Jeff Tinker Committed by Michael Bestas
Browse files

Fix for security vulnerability in media server DO NOT MERGE 

bug: 23540426
Change-Id: I5d602f99fd82e50d0136d47ce20cfa1ac9fd7ae2
(cherry picked from commit 9adc7283)
parent 86570d2a

media/libmedia/ICrypto.cpp

+23 −1
Original line number Diff line number Diff line
@@ -255,7 +255,28 @@ status_t BnCrypto::onTransact( 
            }



            AString errorDetailMsg;

            ssize_t result = decrypt(

            ssize_t result;



            size_t sumSubsampleSizes = 0;

            bool overflow = false;

            for (int32_t i = 0; i < numSubSamples; ++i) {

                CryptoPlugin::SubSample &ss = subSamples[i];

                if (sumSubsampleSizes <= SIZE_MAX - ss.mNumBytesOfEncryptedData) {

                    sumSubsampleSizes += ss.mNumBytesOfEncryptedData;

                } else {

                    overflow = true;

                }

                if (sumSubsampleSizes <= SIZE_MAX - ss.mNumBytesOfClearData) {

                    sumSubsampleSizes += ss.mNumBytesOfClearData;

                } else {

                    overflow = true;

                }

            }



            if (overflow || sumSubsampleSizes != totalSize) {

                result = -EINVAL;

            } else {

                result = decrypt(

                    secure,

                    key,

                    iv,
@@ -264,6 +285,7 @@ status_t BnCrypto::onTransact( 
                    subSamples, numSubSamples,

                    secure ? secureBufferId : dstPtr,

                    &errorDetailMsg);

            }



            reply->writeInt32(result);