Fix potential decrypt src pointer overflow.

There is a potential integer overflow to bypass the source base size check in decrypt. The source pointer can then point to the outside of the source buffer, which could potentially leak arbitrary memory content to destination pointer. Test: sts-tradefed sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176496160#testPocBug_176496160 Test: push to device with target_hwasan-userdebug build adb shell /data/local/tmp/Bug-17649616064 Bug: 176496160 Bug: 176444786 Change-Id: I811a6f60948bde2a72906c2c6172fd7bc5feb6d9
2026-02-01 15:58:43 +00:00 · 2021-01-26 20:29:25 -08:00
parent d1a977b771
commit c14f262876
1 changed files with 5 additions and 1 deletions
--- a/drm/1.0/default/CryptoPlugin.cpp
+++ b/drm/1.0/default/CryptoPlugin.cpp
@@ -124,7 +124,11 @@ namespace implementation {
            return Void();
        }

-        if (source.offset + offset + source.size > sourceBase->getSize()) {
+        size_t totalSize = 0;
+        if (__builtin_add_overflow(source.offset, offset, &totalSize) ||
+            __builtin_add_overflow(totalSize, source.size, &totalSize) ||
+            totalSize > sourceBase->getSize()) {
+            android_errorWriteLog(0x534e4554, "176496160");
            _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size");
            return Void();
        }