Commit 6fa04c1b authored Apr 05, 2021 by Edwin Wong

resolve merge conflicts of 0ef6e5e6 to sc-dev

Fix potential decrypt destPtr overflow.

There is a potential integer overflow to bypass the
destination base size check in decrypt. The destPtr
can then point to the outside of the destination buffer.

Test: sts-tradefed
  sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176444622#testPocBug_176444622

Test: push to device with target_hwasan-userdebug build
  adb shell /data/local/tmp/Bug-17644462264

Bug: 176444622
Bug: 176496353
Change-Id: I9f0b5e1e74271b7133ab674b37c35cefffe03077

parents 4a6f3063 0ef6e5e6

drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp

+4 −1

Original line number	Diff line number	Diff line
		@@ -145,7 +145,10 @@ Return<void> CryptoPlugin::decrypt_1_2(

		base = static_cast<uint8_t >(static_cast<void >(destBase->getPointer()));

		if (destBuffer.offset + destBuffer.size > destBase->getSize()) {
		totalSize = 0;
		if (__builtin_add_overflow(destBuffer.offset, destBuffer.size, &totalSize) \|\|
		totalSize > destBase->getSize()) {
		android_errorWriteLog(0x534e4554, "176444622");
		_hidl_cb(Status_V1_2::ERROR_DRM_FRAME_TOO_LARGE, 0, "invalid buffer size");
		return Void();
		}