commit 480990699cd571e475788bfba8ef86bd0bfb96ad
author Jeff Tinker <jtinker@google.com> Sat Aug 29 00:08:33 2015 +0000
committer Android Git Automerger <android-git-automerger@android.com> Sat Aug 29 00:08:33 2015 +0000
tree 59f03c2dce33de7266ddf1e138ddb05c7d3280d0
parent 53fd00c996644337a8d8ce338c7a1aab37f72ec8
parent 3b86306943e199e000302eec1902fc51be2e0637

am 3b863069: am 389e7653: Merge "Fix for security vulnerability in media server" into mnc-dev

* commit '3b86306943e199e000302eec1902fc51be2e0637':
  Fix for security vulnerability in media server

media/libmedia/ICrypto.cpp

diff --git a/media/libmedia/ICrypto.cpp b/media/libmedia/ICrypto.cpp
index 947294f..9703b0d 100644
--- a/media/libmedia/ICrypto.cpp
+++ b/media/libmedia/ICrypto.cpp
@@ -303,7 +303,25 @@
             AString errorDetailMsg;
             ssize_t result;
 
-            if (offset + totalSize > sharedBuffer->size()) {
+            size_t sumSubsampleSizes = 0;
+            bool overflow = false;
+            for (int32_t i = 0; i < numSubSamples; ++i) {
+                CryptoPlugin::SubSample &ss = subSamples[i];
+                if (sumSubsampleSizes <= SIZE_MAX - ss.mNumBytesOfEncryptedData) {
+                    sumSubsampleSizes += ss.mNumBytesOfEncryptedData;
+                } else {
+                    overflow = true;
+                }
+                if (sumSubsampleSizes <= SIZE_MAX - ss.mNumBytesOfClearData) {
+                    sumSubsampleSizes += ss.mNumBytesOfClearData;
+                } else {
+                    overflow = true;
+                }
+            }
+
+            if (overflow || sumSubsampleSizes != totalSize) {
+                result = -EINVAL;
+            } else if (offset + totalSize > sharedBuffer->size()) {
                 result = -EINVAL;
             } else {
                 result = decrypt(