widevine-partner/android
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[DO NOT MERGE] Fix out of bounds buffer error in CreateCoreLicenseResponse()

Browse Source 
In CreateCoreLicenseResponse(), there seems to be an out of bounds
potential error due to a missing check that the index used for
license_response.parsed_license->key_array is valid. Adding a check
for this here.

Bug: 217677571
Test: fuzz tests
Change-Id: I37f7228f87992ba5284c553d7b07ef97d6a66ab3
(cherry picked from commit eb711ea0ec)
This commit is contained in:
Vicky Min
2022-05-31 19:06:07 +00:00
parent 381f879ff7
commit 8c71d5acd0
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
libwvdrmengine/oemcrypto/odk/src/core_message_serialize.cpp
View File

@@ -13,6 +13,7 @@
#include "odk_serialize.h"
#include "odk_structs.h"
#include "odk_structs_priv.h"
#include "odk_target.h"
#include "serialization_base.h"
namespace oemcrypto_core_message {
@@ -122,6 +123,9 @@ bool CreateCoreLicenseResponse(const CoreMessageFeatures& features,
license_response)) {
return false;
}
if (ODK_MAX_NUM_KEYS < license_response.parsed_license->key_array_length) {
return false;
}
if (license_response.request.core_message.nonce_values.api_major_version ==
16) {
ODK_LicenseResponseV16 license_response_v16;
@@ -143,7 +147,8 @@ bool CreateCoreLicenseResponse(const CoreMessageFeatures& features,
license_response_v16.parsed_license.key_array_length =
license_response.parsed_license->key_array_length;
uint32_t i;
for (i = 0; i < license_response_v16.parsed_license.key_array_length; i++) {
for (i = 0; i < license_response_v16.parsed_license.key_array_length &&
i < license_response.parsed_license->key_array_length; i++) {
license_response_v16.parsed_license.key_array[i] =
license_response.parsed_license->key_array[i];
}