widevine-partner/android
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Bounds Check to initDataResemblesPSSH

Browse Source 
(Merge from http://go/wvgerrit/29180)

initDataResemblesPSSH was not checking if the buffer was large enough to
contain the PSSH markers that it was looking for. Consequently, it could
read data past the end of the buffer.

Bug: 63076692
Test: Unit Tests
Test: Google Play Movies
Change-Id: I6a4a3fa4b05d98554645f3c3149569702c96fd66
This commit is contained in:
John W. Bruce
2017-06-28 19:26:37 -07:00
parent 6af84a8821
commit ce01000c1b
2 changed files with 10 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
libwvdrmengine/mediadrm/src/WVDrmPlugin.cpp
View File

@@ -1005,6 +1005,11 @@ status_t WVDrmPlugin::mapOEMCryptoResult(OEMCryptoResult res) {
bool WVDrmPlugin::initDataResemblesPSSH(const Vector<uint8_t>& initData) {
const uint8_t* const initDataArray = initData.array();
if (sizeof(uint32_t) + kPsshTag.size() > initData.size()) {
// The init data is so small that it couldn't contain a size and PSSH tag.
return false;
}
// Extract the size field
const uint8_t* const sizeField = &initDataArray[0];
uint32_t nboSize;

5
libwvdrmengine/mediadrm/src_hidl/WVDrmPlugin.cpp
View File

@@ -1312,6 +1312,11 @@ status_t WVDrmPlugin::mapOEMCryptoResult(OEMCryptoResult res) {
bool WVDrmPlugin::initDataResemblesPSSH(const std::vector<uint8_t>& initData) {
const uint8_t* const initDataArray = initData.data();
if (sizeof(uint32_t) + kPsshTag.size() > initData.size()) {
// The init data is so small that it couldn't contain a size and PSSH tag.
return false;
}
// Extract the size field
const uint8_t* const sizeField = &initDataArray[0];
uint32_t nboSize;