From 51c537e265c68e68fc47855e1d7b264b91cad748 Mon Sep 17 00:00:00 2001 From: Vicky Min Date: Fri, 13 Oct 2023 11:00:43 -0700 Subject: [PATCH] Fix potential signed integer overflow in ODK PiperOrigin-RevId: 573265338 Change-Id: I33dbced572941c9646f7496e20b8d9a49bca5811 --- libwvdrmengine/oemcrypto/odk/include/odk_structs.h | 2 +- .../oemcrypto/odk/src/core_message_serialize_proto.cpp | 9 +++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/libwvdrmengine/oemcrypto/odk/include/odk_structs.h b/libwvdrmengine/oemcrypto/odk/include/odk_structs.h index 257f3ad2..17cbdf3e 100644 --- a/libwvdrmengine/oemcrypto/odk/include/odk_structs.h +++ b/libwvdrmengine/oemcrypto/odk/include/odk_structs.h @@ -19,7 +19,7 @@ extern "C" { #define ODK_MINOR_VERSION 0 /* ODK Version string. Date changed automatically on each release. */ -#define ODK_RELEASE_DATE "ODK v19.0 2023-10-11" +#define ODK_RELEASE_DATE "ODK v19.0 2023-10-13" /* The lowest version number for an ODK message. */ #define ODK_FIRST_VERSION 16 diff --git a/libwvdrmengine/oemcrypto/odk/src/core_message_serialize_proto.cpp b/libwvdrmengine/oemcrypto/odk/src/core_message_serialize_proto.cpp index 61c50312..8763a170 100644 --- a/libwvdrmengine/oemcrypto/odk/src/core_message_serialize_proto.cpp +++ b/libwvdrmengine/oemcrypto/odk/src/core_message_serialize_proto.cpp @@ -167,9 +167,14 @@ bool CreateCoreLicenseResponseFromProto(const CoreMessageFeatures& features, timer_limits.rental_duration_seconds = policy.rental_duration_seconds(); timer_limits.total_playback_duration_seconds = policy.playback_duration_seconds(); + // On devices these seconds are tracking time so should not be negative. + if (policy.renewal_delay_seconds() < 0 || + policy.renewal_recovery_duration_seconds() < 0) { + return false; + } timer_limits.initial_renewal_duration_seconds = - policy.renewal_delay_seconds() + - policy.renewal_recovery_duration_seconds(); + static_cast(policy.renewal_delay_seconds()) + + static_cast(policy.renewal_recovery_duration_seconds()); parsed_lic.key_array = key_array.data(); parsed_lic.key_array_length = static_cast(key_array.size());