From ce01000c1b879d0d9cb52690d0665199a6ccf0af Mon Sep 17 00:00:00 2001
From: "John W. Bruce" <juce@google.com>
Date: Wed, 28 Jun 2017 19:26:37 -0700
Subject: [PATCH] Add Bounds Check to initDataResemblesPSSH

(Merge from http://go/wvgerrit/29180)

initDataResemblesPSSH was not checking if the buffer was large enough to
contain the PSSH markers that it was looking for. Consequently, it could
read data past the end of the buffer.

Bug: 63076692
Test: Unit Tests
Test: Google Play Movies
Change-Id: I6a4a3fa4b05d98554645f3c3149569702c96fd66
---
 libwvdrmengine/mediadrm/src/WVDrmPlugin.cpp      | 5 +++++
 libwvdrmengine/mediadrm/src_hidl/WVDrmPlugin.cpp | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/libwvdrmengine/mediadrm/src/WVDrmPlugin.cpp b/libwvdrmengine/mediadrm/src/WVDrmPlugin.cpp
index e5e8bd56..a265e40e 100644
--- a/libwvdrmengine/mediadrm/src/WVDrmPlugin.cpp
+++ b/libwvdrmengine/mediadrm/src/WVDrmPlugin.cpp
@@ -1005,6 +1005,11 @@ status_t WVDrmPlugin::mapOEMCryptoResult(OEMCryptoResult res) {
 bool WVDrmPlugin::initDataResemblesPSSH(const Vector<uint8_t>& initData) {
   const uint8_t* const initDataArray = initData.array();
 
+  if (sizeof(uint32_t) + kPsshTag.size() > initData.size()) {
+    // The init data is so small that it couldn't contain a size and PSSH tag.
+    return false;
+  }
+
   // Extract the size field
   const uint8_t* const sizeField = &initDataArray[0];
   uint32_t nboSize;
diff --git a/libwvdrmengine/mediadrm/src_hidl/WVDrmPlugin.cpp b/libwvdrmengine/mediadrm/src_hidl/WVDrmPlugin.cpp
index 254ebf2c..3261e2e1 100644
--- a/libwvdrmengine/mediadrm/src_hidl/WVDrmPlugin.cpp
+++ b/libwvdrmengine/mediadrm/src_hidl/WVDrmPlugin.cpp
@@ -1312,6 +1312,11 @@ status_t WVDrmPlugin::mapOEMCryptoResult(OEMCryptoResult res) {
 bool WVDrmPlugin::initDataResemblesPSSH(const std::vector<uint8_t>& initData) {
   const uint8_t* const initDataArray = initData.data();
 
+  if (sizeof(uint32_t) + kPsshTag.size() > initData.size()) {
+    // The init data is so small that it couldn't contain a size and PSSH tag.
+    return false;
+  }
+
   // Extract the size field
   const uint8_t* const sizeField = &initDataArray[0];
   uint32_t nboSize;