Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ca0ee603 authored by Ray Essick's avatar Ray Essick
Browse files

mediadrm_fuzzer set up AString poorly

Code set up a null pointer and passed it to routines that expected it to
be non-null.

Bug: 221403640
Test: build
Change-Id: Iaaac4d3b59f9663dacbb6a080b9f97689305bb7a
parent 3c56c244
Loading
Loading
Loading
Loading
+4 −2
Original line number Diff line number Diff line
@@ -353,7 +353,9 @@ ssize_t CryptoHalAidl::decrypt(const uint8_t keyId[16], const uint8_t iv[16],

    err = statusAidlToStatusT(statusAidl);
    std::string msgStr(statusAidl.getMessage());
    if (errorDetailMsg != nullptr) {
        *errorDetailMsg = toString8(msgStr);
    }
    if (err != OK) {
        ALOGE("Failed on decrypt, error description:%s", statusAidl.getDescription().c_str());
        return err;
+6 −2
Original line number Diff line number Diff line
@@ -342,8 +342,10 @@ ssize_t CryptoHalHidl::decrypt(const uint8_t keyId[16], const uint8_t iv[16],
                [&](Status_V1_2 status, uint32_t hBytesWritten, hidl_string hDetailedError) {
                    if (status == Status_V1_2::OK) {
                        bytesWritten = hBytesWritten;
                        if (errorDetailMsg != nullptr) {
                            *errorDetailMsg = toString8(hDetailedError);
                        }
                    }
                    err = toStatusT(status);
                });
    } else {
@@ -353,8 +355,10 @@ ssize_t CryptoHalHidl::decrypt(const uint8_t keyId[16], const uint8_t iv[16],
                [&](Status status, uint32_t hBytesWritten, hidl_string hDetailedError) {
                    if (status == Status::OK) {
                        bytesWritten = hBytesWritten;
                        if (errorDetailMsg != nullptr) {
                            *errorDetailMsg = toString8(hDetailedError);
                        }
                    }
                    err = toStatusT(status);
                });
    }
+3 −2
Original line number Diff line number Diff line
@@ -20,6 +20,7 @@

#include <binder/MemoryDealer.h>
#include <hidlmemory/FrameworkUtils.h>
#include <media/stagefright/foundation/AString.h>
#include <mediadrm/CryptoHal.h>
#include <mediadrm/DrmHal.h>
#include <utils/String8.h>
@@ -401,7 +402,7 @@ void DrmFuzzer::invokeCryptoDecrypt(const uint8_t *data) {
        .secureMemory = nullptr};

    const uint64_t offset = 0;
    AString *errorDetailMsg = nullptr;
    AString errorDetailMsg;
    CryptoPlugin::Mode mode;
    bool shouldPassRandomCryptoMode = mFuzzedDataProvider->ConsumeBool();
    if (shouldPassRandomCryptoMode) {
@@ -411,7 +412,7 @@ void DrmFuzzer::invokeCryptoDecrypt(const uint8_t *data) {
            kCryptoMode[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(0, kNumCryptoMode - 1)];
    }
    mCrypto->decrypt(keyId, iv, mode, pattern, sourceBuffer, offset, subSamples, numSubSamples,
                     destBuffer, errorDetailMsg);
                     destBuffer, &errorDetailMsg);

    if (heapSeqNum >= 0) {
        mCrypto->unsetHeap(heapSeqNum);