am 99e63e75: Merge "Fix for security vulnerability in media server DO NOT MERGE" into lmp-dev (d83f2255) · Commits · e / os / android_frameworks_av

media/libmedia/ICrypto.cpp

+23 −1

Original line number	Original line	Diff line number	Diff line
	@@ -255,7 +255,28 @@ status_t BnCrypto::onTransact(
	}		}

	AString errorDetailMsg;		AString errorDetailMsg;
	ssize_t result = decrypt(		ssize_t result;

			size_t sumSubsampleSizes = 0;
			bool overflow = false;
			for (int32_t i = 0; i < numSubSamples; ++i) {
			CryptoPlugin::SubSample &ss = subSamples[i];
			if (sumSubsampleSizes <= SIZE_MAX - ss.mNumBytesOfEncryptedData) {
			sumSubsampleSizes += ss.mNumBytesOfEncryptedData;
			} else {
			overflow = true;
			}
			if (sumSubsampleSizes <= SIZE_MAX - ss.mNumBytesOfClearData) {
			sumSubsampleSizes += ss.mNumBytesOfClearData;
			} else {
			overflow = true;
			}
			}

			if (overflow \|\| sumSubsampleSizes != totalSize) {
			result = -EINVAL;
			} else {
			result = decrypt(
	secure,		secure,
	key,		key,
	iv,		iv,
	@@ -264,6 +285,7 @@ status_t BnCrypto::onTransact(
	subSamples, numSubSamples,		subSamples, numSubSamples,
	secure ? secureBufferId : dstPtr,		secure ? secureBufferId : dstPtr,
	&errorDetailMsg);		&errorDetailMsg);
			}

	reply->writeInt32(result);		reply->writeInt32(result);