Fix for security vulnerability in media server bug: 23540426 Change-Id: Ifb12ac3350410a49ba7d81d1bde12822c3008cd5

commit: c6fc6a3ca618b0e72ee565ded2e4960797f53fa6 [log] [tgz]
author: Jeff Tinker <jtinker@google.com> Wed Aug 26 20:22:39 2015 -0700
committer: Jeff Tinker <jtinker@google.com> Thu Aug 27 15:23:03 2015 -0700
tree: 400c0e8e818c0932d10a97308ff8f132e553e956
parent: ed555d70d80964f40563d89a4e6d6a80f83f4b89 [diff] [blame]
diff --git a/media/libmedia/ICrypto.cpp b/media/libmedia/ICrypto.cpp
index 947294f..9703b0d 100644
--- a/media/libmedia/ICrypto.cpp
+++ b/media/libmedia/ICrypto.cpp

@@ -303,7 +303,25 @@
             AString errorDetailMsg;
             ssize_t result;
 
-            if (offset + totalSize > sharedBuffer->size()) {
+            size_t sumSubsampleSizes = 0;
+            bool overflow = false;
+            for (int32_t i = 0; i < numSubSamples; ++i) {
+                CryptoPlugin::SubSample &ss = subSamples[i];
+                if (sumSubsampleSizes <= SIZE_MAX - ss.mNumBytesOfEncryptedData) {
+                    sumSubsampleSizes += ss.mNumBytesOfEncryptedData;
+                } else {
+                    overflow = true;
+                }
+                if (sumSubsampleSizes <= SIZE_MAX - ss.mNumBytesOfClearData) {
+                    sumSubsampleSizes += ss.mNumBytesOfClearData;
+                } else {
+                    overflow = true;
+                }
+            }
+
+            if (overflow || sumSubsampleSizes != totalSize) {
+                result = -EINVAL;
+            } else if (offset + totalSize > sharedBuffer->size()) {
                 result = -EINVAL;
             } else {
                 result = decrypt(
commit	c6fc6a3ca618b0e72ee565ded2e4960797f53fa6	[log] [tgz]
author	Jeff Tinker <jtinker@google.com>	Wed Aug 26 20:22:39 2015 -0700
committer	Jeff Tinker <jtinker@google.com>	Thu Aug 27 15:23:03 2015 -0700
tree	400c0e8e818c0932d10a97308ff8f132e553e956
parent	ed555d70d80964f40563d89a4e6d6a80f83f4b89 [diff] [blame]