commit 4b219e9e5ab237eec9931497cf10db4d78982d84
author Jeff Tinker <jtinker@google.com> Mon Sep 14 11:55:43 2015 -0700
committer Jeff Tinker <jtinker@google.com> Mon Sep 14 18:59:06 2015 +0000
tree 062e4c9ffb383786c57f29fba05fea148cd0cf9b
parent f3eb82683a80341f5ac23057aab733a57963cab2

Fix for security vulnerability in media server DO NOT MERGE

bug: 23540426
Change-Id: I7ca419e4008967a0387649e5293ac9d4be71d3c4

media/libmedia/ICrypto.cpp

diff --git a/media/libmedia/ICrypto.cpp b/media/libmedia/ICrypto.cpp
index 7bd120e..0d68ee7 100644
--- a/media/libmedia/ICrypto.cpp
+++ b/media/libmedia/ICrypto.cpp
@@ -255,7 +255,28 @@
             }
 
             AString errorDetailMsg;
-            ssize_t result = decrypt(
+            ssize_t result;
+
+            size_t sumSubsampleSizes = 0;
+            bool overflow = false;
+            for (int32_t i = 0; i < numSubSamples; ++i) {
+                CryptoPlugin::SubSample &ss = subSamples[i];
+                if (sumSubsampleSizes <= SIZE_MAX - ss.mNumBytesOfEncryptedData) {
+                    sumSubsampleSizes += ss.mNumBytesOfEncryptedData;
+                } else {
+                    overflow = true;
+                }
+                if (sumSubsampleSizes <= SIZE_MAX - ss.mNumBytesOfClearData) {
+                    sumSubsampleSizes += ss.mNumBytesOfClearData;
+                } else {
+                    overflow = true;
+                }
+            }
+
+            if (overflow || sumSubsampleSizes != totalSize) {
+                result = -EINVAL;
+            } else {
+                result = decrypt(
                     secure,
                     key,
                     iv,
@@ -264,6 +285,7 @@
                     subSamples, numSubSamples,
                     secure ? secureBufferId : dstPtr,
                     &errorDetailMsg);
+            }
 
             reply->writeInt32(result);