Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ca0ee603 authored by Ray Essick's avatar Ray Essick
Browse files

mediadrm_fuzzer set up AString poorly 

Code set up a null pointer and passed it to routines that expected it to
be non-null.

Bug: 221403640
Test: build
Change-Id: Iaaac4d3b59f9663dacbb6a080b9f97689305bb7a
parent 3c56c244

drm/libmediadrm/CryptoHalAidl.cpp

+4 −2
Original line number Diff line number Diff line
@@ -353,7 +353,9 @@ ssize_t CryptoHalAidl::decrypt(const uint8_t keyId[16], const uint8_t iv[16], 


    err = statusAidlToStatusT(statusAidl);

    std::string msgStr(statusAidl.getMessage());

    if (errorDetailMsg != nullptr) {

        *errorDetailMsg = toString8(msgStr);

    }

    if (err != OK) {

        ALOGE("Failed on decrypt, error description:%s", statusAidl.getDescription().c_str());

        return err;

drm/libmediadrm/CryptoHalHidl.cpp

+6 −2
Original line number Diff line number Diff line
@@ -342,8 +342,10 @@ ssize_t CryptoHalHidl::decrypt(const uint8_t keyId[16], const uint8_t iv[16], 
                [&](Status_V1_2 status, uint32_t hBytesWritten, hidl_string hDetailedError) {

                    if (status == Status_V1_2::OK) {

                        bytesWritten = hBytesWritten;

                        if (errorDetailMsg != nullptr) {

                            *errorDetailMsg = toString8(hDetailedError);

                        }

                    }

                    err = toStatusT(status);

                });

    } else {
@@ -353,8 +355,10 @@ ssize_t CryptoHalHidl::decrypt(const uint8_t keyId[16], const uint8_t iv[16], 
                [&](Status status, uint32_t hBytesWritten, hidl_string hDetailedError) {

                    if (status == Status::OK) {

                        bytesWritten = hBytesWritten;

                        if (errorDetailMsg != nullptr) {

                            *errorDetailMsg = toString8(hDetailedError);

                        }

                    }

                    err = toStatusT(status);

                });

    }

drm/libmediadrm/fuzzer/mediadrm_fuzzer.cpp

+3 −2
Original line number Diff line number Diff line
@@ -20,6 +20,7 @@ 


#include <binder/MemoryDealer.h>

#include <hidlmemory/FrameworkUtils.h>

#include <media/stagefright/foundation/AString.h>

#include <mediadrm/CryptoHal.h>

#include <mediadrm/DrmHal.h>

#include <utils/String8.h>
@@ -401,7 +402,7 @@ void DrmFuzzer::invokeCryptoDecrypt(const uint8_t *data) { 
        .secureMemory = nullptr};



    const uint64_t offset = 0;

    AString *errorDetailMsg = nullptr;

    AString errorDetailMsg;

    CryptoPlugin::Mode mode;

    bool shouldPassRandomCryptoMode = mFuzzedDataProvider->ConsumeBool();

    if (shouldPassRandomCryptoMode) {
@@ -411,7 +412,7 @@ void DrmFuzzer::invokeCryptoDecrypt(const uint8_t *data) { 
            kCryptoMode[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(0, kNumCryptoMode - 1)];

    }

    mCrypto->decrypt(keyId, iv, mode, pattern, sourceBuffer, offset, subSamples, numSubSamples,

                     destBuffer, errorDetailMsg);

                     destBuffer, &errorDetailMsg);



    if (heapSeqNum >= 0) {

        mCrypto->unsetHeap(heapSeqNum);