Merge tag 'android-8.1.0_r70' of https://android.googlesource.com/platform/hardware/interfaces into HEADo8.1

Android 8.1.0 release 70

* tag 'android-8.1.0_r70' of https://android.googlesource.com/platform/hardware/interfaces:
  default hidl CryptoPlugin: security fixes [RESTRICT AUTOMERGE]
  cas: do not use hidl_memory if size is > SIZE_MAX
  cas: fix UAF in descrambler -- DO NOT MERGE
  cas: validate shared buffer size before using
  Add tests to validate key length for clearkey plugin.

Change-Id: Ib37aba2e689eb1fd3d2e94a7c5a8ad14d0bbb3dc

1 files changed, 31 insertions, 4 deletions

diff --git a/drm/1.0/default/CryptoPlugin.cpp b/drm/1.0/default/CryptoPlugin.cpp
index fd75dbd3f..aa5c6edc6 100644
--- a/drm/1.0/default/CryptoPlugin.cpp
+++ b/drm/1.0/default/CryptoPlugin.cpp
@@ -102,11 +102,22 @@ namespace implementation {
         android::CryptoPlugin::SubSample *legacySubSamples =
             new android::CryptoPlugin::SubSample[subSamples.size()];
 
+        size_t destSize = 0;
         for (size_t i = 0; i < subSamples.size(); i++) {
-            legacySubSamples[i].mNumBytesOfClearData
-                = subSamples[i].numBytesOfClearData;
-            legacySubSamples[i].mNumBytesOfEncryptedData
-                = subSamples[i].numBytesOfEncryptedData;
+            uint32_t numBytesOfClearData = subSamples[i].numBytesOfClearData;
+            legacySubSamples[i].mNumBytesOfClearData = numBytesOfClearData;
+            uint32_t numBytesOfEncryptedData = subSamples[i].numBytesOfEncryptedData;
+            legacySubSamples[i].mNumBytesOfEncryptedData = numBytesOfEncryptedData;
+            if (__builtin_add_overflow(destSize, numBytesOfClearData, &destSize)) {
+                delete[] legacySubSamples;
+                _hidl_cb(Status::BAD_VALUE, 0, "subsample clear size overflow");
+                return Void();
+            }
+            if (__builtin_add_overflow(destSize, numBytesOfEncryptedData, &destSize)) {
+                delete[] legacySubSamples;
+                _hidl_cb(Status::BAD_VALUE, 0, "subsample encrypted size overflow");
+                return Void();
+            }
         }
 
         AString detailMessage;
@@ -138,11 +149,27 @@ namespace implementation {
                 _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size");
                 return Void();
             }
+
+            if (destSize > destBuffer.size) {
+                delete[] legacySubSamples;
+                _hidl_cb(Status::BAD_VALUE, 0, "subsample sum too large");
+                return Void();
+            }
+
             destPtr = static_cast<void *>(base + destination.nonsecureMemory.offset);
         } else if (destination.type == BufferType::NATIVE_HANDLE) {
+            if (!secure) {
+                delete[] legacySubSamples;
+                _hidl_cb(Status::BAD_VALUE, 0, "native handle destination must be secure");
+                return Void();
+            }
             native_handle_t *handle = const_cast<native_handle_t *>(
                     destination.secureMemory.getNativeHandle());
             destPtr = static_cast<void *>(handle);
+        } else {
+            delete[] legacySubSamples;
+            _hidl_cb(Status::BAD_VALUE, 0, "invalid destination type");
+            return Void();
         }
         ssize_t result = mLegacyPlugin->decrypt(secure, keyId.data(), iv.data(),
                 legacyMode, legacyPattern, srcPtr, legacySubSamples,