From 0558edfb315d1c3786fa72c14446e292f32c7d09 Mon Sep 17 00:00:00 2001
From: Edwin Wong <edwinwong@google.com>
Date: Tue, 2 Feb 2021 12:40:26 -0800
Subject: [PATCH] [RESTRICT AUTOMERGE] Fix potential decrypt destPtr overflow.

There is a potential integer overflow to bypass the
destination base size check in decrypt. The destPtr
can then point to the outside of the destination buffer.

Test: sts-tradefed
  sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176444622#testPocBug_176444622

Test: push to device with target_hwasan-userdebug build
  adb shell /data/local/tmp/Bug-17644462264

Bug: 176444622
Bug: 176496353
Change-Id: I2aa944d6db1754d10dacee05f2e06071bbb4a3cc
---
 libwvdrmengine/mediacrypto/src_hidl/WVCryptoPlugin.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libwvdrmengine/mediacrypto/src_hidl/WVCryptoPlugin.cpp b/libwvdrmengine/mediacrypto/src_hidl/WVCryptoPlugin.cpp
index 61846c01..879bd01d 100644
--- a/libwvdrmengine/mediacrypto/src_hidl/WVCryptoPlugin.cpp
+++ b/libwvdrmengine/mediacrypto/src_hidl/WVCryptoPlugin.cpp
@@ -173,7 +173,10 @@ Return<void> WVCryptoPlugin::decrypt(
       return Void();
     }
 
-    if (destBuffer.offset + destBuffer.size > destBase->getSize()) {
+    size_t totalDstSize = 0;
+    if (__builtin_add_overflow(destBuffer.offset, destBuffer.size, &totalDstSize) ||
+        totalDstSize > destBase->getSize()) {
+      android_errorWriteLog(0x534e4554, "176444622");
       _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size");
       return Void();
     }