From 1319c43361cc8fdd3e2ce61db4185e38f128e76b Mon Sep 17 00:00:00 2001 From: Jeff Tinker Date: Mon, 17 Aug 2015 17:56:27 -0700 Subject: [PATCH] Part of fix for libmedia OOB write anywhere Prevent usage of client provided address on non-secure devices spoofed as being secure. b/23223325 merge of go/wvgerrit/15420 from widevine repo Change-Id: I1d4f3a652b3d5e78fca508f92005cfa8df5ec6db --- libwvdrmengine/cdm/core/include/wv_cdm_types.h | 1 + libwvdrmengine/cdm/core/src/crypto_session.cpp | 4 ++++ libwvdrmengine/include/mapErrors-inl.h | 2 ++ 3 files changed, 7 insertions(+) diff --git a/libwvdrmengine/cdm/core/include/wv_cdm_types.h b/libwvdrmengine/cdm/core/include/wv_cdm_types.h index e3086753..8dc8d24a 100644 --- a/libwvdrmengine/cdm/core/include/wv_cdm_types.h +++ b/libwvdrmengine/cdm/core/include/wv_cdm_types.h @@ -202,6 +202,7 @@ enum CdmResponseType { LICENSE_REQUEST_NONCE_GENERATION_ERROR, LICENSE_REQUEST_SIGNING_ERROR, EMPTY_LICENSE_REQUEST, + SECURE_BUFFER_REQUIRED, }; enum CdmKeyStatus { diff --git a/libwvdrmengine/cdm/core/src/crypto_session.cpp b/libwvdrmengine/cdm/core/src/crypto_session.cpp index e5fc002c..c5c17cb0 100644 --- a/libwvdrmengine/cdm/core/src/crypto_session.cpp +++ b/libwvdrmengine/cdm/core/src/crypto_session.cpp @@ -641,6 +641,10 @@ CdmResponseType CryptoSession::Decrypt(const CdmDecryptionParameters& params) { buffer_descriptor.type = params.is_secure ? destination_buffer_type_ : OEMCrypto_BufferType_Clear; + if (params.is_secure && buffer_descriptor.type == OEMCrypto_BufferType_Clear) { + return SECURE_BUFFER_REQUIRED; + } + switch (buffer_descriptor.type) { case OEMCrypto_BufferType_Clear: buffer_descriptor.buffer.clear.address = diff --git a/libwvdrmengine/include/mapErrors-inl.h b/libwvdrmengine/include/mapErrors-inl.h index 6f848d21..45003e7c 100644 --- a/libwvdrmengine/include/mapErrors-inl.h +++ b/libwvdrmengine/include/mapErrors-inl.h @@ -345,6 +345,8 @@ static android::status_t mapCdmResponseType(wvcdm::CdmResponseType res) { return android::ERROR_DRM_UNKNOWN; case wvcdm::UNUSED_1: return android::UNKNOWN_ERROR; + case wvcdm::SECURE_BUFFER_REQUIRED: + return android::ERROR_DRM_CANNOT_HANDLE; } // Return here instead of as a default case so that the compiler will warn