widevine-partner/android
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[RESTRICT AUTOMERGE] Fix potential decrypt destPtr overflow.

Browse Source 
There is a potential integer overflow to bypass the
destination base size check in decrypt. The destPtr
can then point to the outside of the destination buffer.

Test: sts-tradefed
  sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176444622#testPocBug_176444622

Test: push to device with target_hwasan-userdebug build
  adb shell /data/local/tmp/Bug-17644462264

Bug: 176444622
Bug: 176496353
Change-Id: Id3aece61d46d548c304782d4e1dc3a4747795c01
Merged-In: Id3aece61d46d548c304782d4e1dc3a4747795c01
This commit is contained in:
Edwin Wong
2021-02-02 12:44:26 -08:00
parent c3a24e6c86
commit f3ad627bcb
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
libwvdrmengine/mediacrypto/src_hidl/WVCryptoPlugin.cpp
View File

@@ -213,7 +213,10 @@ Return<void> WVCryptoPlugin::decrypt_1_2(
return Void();
}
if (destBuffer.offset + destBuffer.size > destBase->getSize()) {
size_t totalDstSize = 0;
if (__builtin_add_overflow(destBuffer.offset, destBuffer.size, &totalDstSize) ||
totalDstSize > destBase->getSize()) {
android_errorWriteLog(0x534e4554, "176444622");
_hidl_cb(Status_V1_2::ERROR_DRM_FRAME_TOO_LARGE, 0, "invalid buffer size");
return Void();
}