mirror of
https://github.com/Evolution-X/hardware_interfaces
synced 2026-02-01 11:36:00 +00:00
default hidl CryptoPlugin: security fixes am: 1e18883b72
am: 02ef6a6283
Change-Id: I19a3ea993f954db12008af47d0f14f97962d92fb
This commit is contained in:
Robert Shih
android-build-merger
@@ -101,11 +101,20 @@ namespace implementation {
|
|||||||
std::unique_ptr<android::CryptoPlugin::SubSample[]> legacySubSamples =
|
std::unique_ptr<android::CryptoPlugin::SubSample[]> legacySubSamples =
|
||||||
std::make_unique<android::CryptoPlugin::SubSample[]>(subSamples.size());
|
std::make_unique<android::CryptoPlugin::SubSample[]>(subSamples.size());
|
||||||
|
|
||||||
|
size_t destSize = 0;
|
||||||
for (size_t i = 0; i < subSamples.size(); i++) {
|
for (size_t i = 0; i < subSamples.size(); i++) {
|
||||||
legacySubSamples[i].mNumBytesOfClearData
|
uint32_t numBytesOfClearData = subSamples[i].numBytesOfClearData;
|
||||||
= subSamples[i].numBytesOfClearData;
|
legacySubSamples[i].mNumBytesOfClearData = numBytesOfClearData;
|
||||||
legacySubSamples[i].mNumBytesOfEncryptedData
|
uint32_t numBytesOfEncryptedData = subSamples[i].numBytesOfEncryptedData;
|
||||||
= subSamples[i].numBytesOfEncryptedData;
|
legacySubSamples[i].mNumBytesOfEncryptedData = numBytesOfEncryptedData;
|
||||||
|
if (__builtin_add_overflow(destSize, numBytesOfClearData, &destSize)) {
|
||||||
|
_hidl_cb(Status::BAD_VALUE, 0, "subsample clear size overflow");
|
||||||
|
return Void();
|
||||||
|
}
|
||||||
|
if (__builtin_add_overflow(destSize, numBytesOfEncryptedData, &destSize)) {
|
||||||
|
_hidl_cb(Status::BAD_VALUE, 0, "subsample encrypted size overflow");
|
||||||
|
return Void();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
AString detailMessage;
|
AString detailMessage;
|
||||||
@@ -137,11 +146,24 @@ namespace implementation {
|
|||||||
_hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size");
|
_hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size");
|
||||||
return Void();
|
return Void();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (destSize > destBuffer.size) {
|
||||||
|
_hidl_cb(Status::BAD_VALUE, 0, "subsample sum too large");
|
||||||
|
return Void();
|
||||||
|
}
|
||||||
|
|
||||||
destPtr = static_cast<void *>(base + destination.nonsecureMemory.offset);
|
destPtr = static_cast<void *>(base + destination.nonsecureMemory.offset);
|
||||||
} else if (destination.type == BufferType::NATIVE_HANDLE) {
|
} else if (destination.type == BufferType::NATIVE_HANDLE) {
|
||||||
|
if (!secure) {
|
||||||
|
_hidl_cb(Status::BAD_VALUE, 0, "native handle destination must be secure");
|
||||||
|
return Void();
|
||||||
|
}
|
||||||
native_handle_t *handle = const_cast<native_handle_t *>(
|
native_handle_t *handle = const_cast<native_handle_t *>(
|
||||||
destination.secureMemory.getNativeHandle());
|
destination.secureMemory.getNativeHandle());
|
||||||
destPtr = static_cast<void *>(handle);
|
destPtr = static_cast<void *>(handle);
|
||||||
|
} else {
|
||||||
|
_hidl_cb(Status::BAD_VALUE, 0, "invalid destination type");
|
||||||
|
return Void();
|
||||||
}
|
}
|
||||||
ssize_t result = mLegacyPlugin->decrypt(secure, keyId.data(), iv.data(),
|
ssize_t result = mLegacyPlugin->decrypt(secure, keyId.data(), iv.data(),
|
||||||
legacyMode, legacyPattern, srcPtr, legacySubSamples.get(),
|
legacyMode, legacyPattern, srcPtr, legacySubSamples.get(),
|
||||||
|
|||||||
Reference in New Issue
Block a user