widevine-partner/android
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[RESTRICT AUTOMERGE] Fix potential decrypt srcPtr overflow.

Browse Source 
Merged from http://go/wvgerrit/114903

There is a potential integer overflow to bypass the
source base size check in decrypt. The source pointer
can then point to the outside of the source buffer,
which could potentially leak arbitrary memory content
to destination pointer.

Test: sts-tradefed
  sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176496160#testPocBug_176496160

Test: push to device with target_hwasan-userdebug build
  adb shell /data/local/tmp/Bug-17649616064

Bug: 176496160
Bug: 176444786
Change-Id: I0a15d86a87fbf590f39ddf2ce218c83eacb0174e
This commit is contained in:
Edwin Wong
2021-01-27 20:30:06 -08:00
parent 913c890c5f
commit 0253cb580e
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
libwvdrmengine/mediacrypto/src_hidl/WVCryptoPlugin.cpp
View File

@@ -150,7 +150,11 @@ Return<void> WVCryptoPlugin::decrypt(
return Void(); return Void();
} }
if (source.offset + offset + source.size > sourceBase->getSize()) { size_t totalSrcSize = 0;
if (__builtin_add_overflow(source.offset, offset, &totalSrcSize) ||
__builtin_add_overflow(totalSrcSize, source.size, &totalSrcSize) ||
totalSrcSize > sourceBase->getSize()) {
android_errorWriteLog(0x534e4554, "176496160");
_hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size"); _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size");
return Void(); return Void();
} }