From a5c14b7afbacb0017da1a3526b5768696f682a9f Mon Sep 17 00:00:00 2001
From: Edwin Wong <edwinwong@google.com>
Date: Tue, 26 Jan 2021 20:32:24 -0800
Subject: [PATCH] [RESTRICT AUTOMERGE] Fix potential decrypt srcPtr overflow.

Merged from http://go/wvgerrit/114903

There is a potential integer overflow to bypass the
source base size check in decrypt. The source pointer
can then point to the outside of the source buffer,
which could potentially leak arbitrary memory content
to destination pointer.

Test: sts-tradefed
  sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176496160#testPocBug_176496160

Test: push to device with target_hwasan-userdebug build
  adb shell /data/local/tmp/Bug-17649616064

Bug: 176496160
Bug: 176444786
Change-Id: I208e0d5d949e8ef003fcf7d6f129eab66b9b3656
---
 libwvdrmengine/mediacrypto/src_hidl/WVCryptoPlugin.cpp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libwvdrmengine/mediacrypto/src_hidl/WVCryptoPlugin.cpp b/libwvdrmengine/mediacrypto/src_hidl/WVCryptoPlugin.cpp
index 3cd7a265..61846c01 100644
--- a/libwvdrmengine/mediacrypto/src_hidl/WVCryptoPlugin.cpp
+++ b/libwvdrmengine/mediacrypto/src_hidl/WVCryptoPlugin.cpp
@@ -152,7 +152,11 @@ Return<void> WVCryptoPlugin::decrypt(
     return Void();
   }
 
-  if (source.offset + offset + source.size > sourceBase->getSize()) {
+  size_t totalSrcSize = 0;
+  if (__builtin_add_overflow(source.offset, offset, &totalSrcSize) ||
+      __builtin_add_overflow(totalSrcSize, source.size, &totalSrcSize) ||
+      totalSrcSize > sourceBase->getSize()) {
+    android_errorWriteLog(0x534e4554, "176496160");
     _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size");
     return Void();
   }