From 0890df5b1665131c3d2c1358dff19931d3553032 Mon Sep 17 00:00:00 2001 From: Vicky Min Date: Tue, 31 May 2022 19:06:07 +0000 Subject: [PATCH] [DO NOT MERGE] Fix out of bounds buffer error in CreateCoreLicenseResponse() In CreateCoreLicenseResponse(), there seems to be an out of bounds potential error due to a missing check that the index used for license_response.parsed_license->key_array is valid. Adding a check for this here. Bug: 217677571 Test: fuzz tests Change-Id: I37f7228f87992ba5284c553d7b07ef97d6a66ab3 (cherry picked from commit eb711ea0ec6ca32c6af5e7cd4b129d596b238ade) --- .../oemcrypto/odk/src/core_message_serialize.cpp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libwvdrmengine/oemcrypto/odk/src/core_message_serialize.cpp b/libwvdrmengine/oemcrypto/odk/src/core_message_serialize.cpp index 334f4429..a33e242e 100644 --- a/libwvdrmengine/oemcrypto/odk/src/core_message_serialize.cpp +++ b/libwvdrmengine/oemcrypto/odk/src/core_message_serialize.cpp @@ -13,6 +13,7 @@ #include "odk_serialize.h" #include "odk_structs.h" #include "odk_structs_priv.h" +#include "odk_target.h" #include "serialization_base.h" namespace oemcrypto_core_message { @@ -122,6 +123,9 @@ bool CreateCoreLicenseResponse(const CoreMessageFeatures& features, license_response)) { return false; } + if (ODK_MAX_NUM_KEYS < license_response.parsed_license->key_array_length) { + return false; + } if (license_response.request.core_message.nonce_values.api_major_version == 16) { ODK_LicenseResponseV16 license_response_v16; @@ -143,7 +147,8 @@ bool CreateCoreLicenseResponse(const CoreMessageFeatures& features, license_response_v16.parsed_license.key_array_length = license_response.parsed_license->key_array_length; uint32_t i; - for (i = 0; i < license_response_v16.parsed_license.key_array_length; i++) { + for (i = 0; i < license_response_v16.parsed_license.key_array_length && + i < license_response.parsed_license->key_array_length; i++) { license_response_v16.parsed_license.key_array[i] = license_response.parsed_license->key_array[i]; }