LineageOS/android_frameworks_av
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Harden drmserver process against fuzzing attacks

Browse Source 
bug: 19572107
Change-Id: I5ba0a434b016e8dc376f7d0eef5cf76b99ab50fd
This commit is contained in:
Jeff Tinker
2015-04-28 16:42:20 -07:00
parent 4275065e89
commit b408fa26c7
1 changed files with 46 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
drm/common/IDrmManagerService.cpp
View File

@@ -34,6 +34,7 @@
#include "IDrmManagerService.h" #include "IDrmManagerService.h"
#define INVALID_BUFFER_LENGTH -1 #define INVALID_BUFFER_LENGTH -1
#define MAX_BINDER_TRANSACTION_SIZE ((1*1024*1024)-(4096*2))
using namespace android; using namespace android;
@@ -933,7 +934,12 @@ status_t BnDrmManagerService::onTransact(
//Filling DRM info //Filling DRM info
const int infoType = data.readInt32(); const int infoType = data.readInt32();
const int bufferSize = data.readInt32(); const uint32_t bufferSize = data.readInt32();
if (bufferSize > data.dataAvail()) {
return BAD_VALUE;
}
char* buffer = NULL; char* buffer = NULL;
if (0 < bufferSize) { if (0 < bufferSize) {
buffer = (char *)data.readInplace(bufferSize); buffer = (char *)data.readInplace(bufferSize);
@@ -986,6 +992,9 @@ status_t BnDrmManagerService::onTransact(
const int size = data.readInt32(); const int size = data.readInt32();
for (int index = 0; index < size; ++index) { for (int index = 0; index < size; ++index) {
if (!data.dataAvail()) {
break;
}
const String8 key(data.readString8()); const String8 key(data.readString8());
if (key == String8("FileDescriptorKey")) { if (key == String8("FileDescriptorKey")) {
char buffer[16]; char buffer[16];
@@ -1035,7 +1044,12 @@ status_t BnDrmManagerService::onTransact(
const int uniqueId = data.readInt32(); const int uniqueId = data.readInt32();
//Filling DRM Rights //Filling DRM Rights
const int bufferSize = data.readInt32(); const uint32_t bufferSize = data.readInt32();
if (bufferSize > data.dataAvail()) {
reply->writeInt32(BAD_VALUE);
return DRM_NO_ERROR;
}
const DrmBuffer drmBuffer((char *)data.readInplace(bufferSize), bufferSize); const DrmBuffer drmBuffer((char *)data.readInplace(bufferSize), bufferSize);
const String8 mimeType(data.readString8()); const String8 mimeType(data.readString8());
@@ -1206,10 +1220,13 @@ status_t BnDrmManagerService::onTransact(
const int convertId = data.readInt32(); const int convertId = data.readInt32();
//Filling input data //Filling input data
const int bufferSize = data.readInt32(); const uint32_t bufferSize = data.readInt32();
if (bufferSize > data.dataAvail()) {
return BAD_VALUE;
}
DrmBuffer* inputData = new DrmBuffer((char *)data.readInplace(bufferSize), bufferSize); DrmBuffer* inputData = new DrmBuffer((char *)data.readInplace(bufferSize), bufferSize);
DrmConvertedStatus* drmConvertedStatus = convertData(uniqueId, convertId, inputData); DrmConvertedStatus* drmConvertedStatus = convertData(uniqueId, convertId, inputData);
if (NULL != drmConvertedStatus) { if (NULL != drmConvertedStatus) {
//Filling Drm Converted Ststus //Filling Drm Converted Ststus
@@ -1393,7 +1410,12 @@ status_t BnDrmManagerService::onTransact(
const int decryptUnitId = data.readInt32(); const int decryptUnitId = data.readInt32();
//Filling Header info //Filling Header info
const int bufferSize = data.readInt32(); const uint32_t bufferSize = data.readInt32();
if (bufferSize > data.dataAvail()) {
reply->writeInt32(BAD_VALUE);
clearDecryptHandle(&handle);
return DRM_NO_ERROR;
}
DrmBuffer* headerInfo = NULL; DrmBuffer* headerInfo = NULL;
headerInfo = new DrmBuffer((char *)data.readInplace(bufferSize), bufferSize); headerInfo = new DrmBuffer((char *)data.readInplace(bufferSize), bufferSize);
@@ -1417,9 +1439,17 @@ status_t BnDrmManagerService::onTransact(
readDecryptHandleFromParcelData(&handle, data); readDecryptHandleFromParcelData(&handle, data);
const int decryptUnitId = data.readInt32(); const int decryptUnitId = data.readInt32();
const int decBufferSize = data.readInt32(); const uint32_t decBufferSize = data.readInt32();
const uint32_t encBufferSize = data.readInt32();
if (encBufferSize > data.dataAvail() ||
decBufferSize > MAX_BINDER_TRANSACTION_SIZE) {
reply->writeInt32(BAD_VALUE);
reply->writeInt32(0);
clearDecryptHandle(&handle);
return DRM_NO_ERROR;
}
const int encBufferSize = data.readInt32();
DrmBuffer* encBuffer DrmBuffer* encBuffer
= new DrmBuffer((char *)data.readInplace(encBufferSize), encBufferSize); = new DrmBuffer((char *)data.readInplace(encBufferSize), encBufferSize);
@@ -1429,8 +1459,10 @@ status_t BnDrmManagerService::onTransact(
DrmBuffer* IV = NULL; DrmBuffer* IV = NULL;
if (0 != data.dataAvail()) { if (0 != data.dataAvail()) {
const int ivBufferlength = data.readInt32(); const uint32_t ivBufferlength = data.readInt32();
IV = new DrmBuffer((char *)data.readInplace(ivBufferlength), ivBufferlength); if (ivBufferlength <= data.dataAvail()) {
IV = new DrmBuffer((char *)data.readInplace(ivBufferlength), ivBufferlength);
}
} }
const status_t status const status_t status
@@ -1477,7 +1509,11 @@ status_t BnDrmManagerService::onTransact(
DecryptHandle handle; DecryptHandle handle;
readDecryptHandleFromParcelData(&handle, data); readDecryptHandleFromParcelData(&handle, data);
const int numBytes = data.readInt32(); const uint32_t numBytes = data.readInt32();
if (numBytes > MAX_BINDER_TRANSACTION_SIZE) {
reply->writeInt32(BAD_VALUE);
return DRM_NO_ERROR;
}
char* buffer = new char[numBytes]; char* buffer = new char[numBytes];
const off64_t offset = data.readInt64(); const off64_t offset = data.readInt64();