summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--cas/1.0/default/DescramblerImpl.cpp53
1 files changed, 52 insertions, 1 deletions
diff --git a/cas/1.0/default/DescramblerImpl.cpp b/cas/1.0/default/DescramblerImpl.cpp
index 3d90809c..36699baf 100644
--- a/cas/1.0/default/DescramblerImpl.cpp
+++ b/cas/1.0/default/DescramblerImpl.cpp
@@ -18,8 +18,9 @@
18#define LOG_TAG "android.hardware.cas@1.0-DescramblerImpl" 18#define LOG_TAG "android.hardware.cas@1.0-DescramblerImpl"
19 19
20#include <hidlmemory/mapping.h> 20#include <hidlmemory/mapping.h>
21#include <media/hardware/CryptoAPI.h>
22#include <media/cas/DescramblerAPI.h> 21#include <media/cas/DescramblerAPI.h>
22#include <media/hardware/CryptoAPI.h>
23#include <media/stagefright/foundation/AUtils.h>
23#include <utils/Log.h> 24#include <utils/Log.h>
24 25
25#include "DescramblerImpl.h" 26#include "DescramblerImpl.h"
@@ -70,6 +71,11 @@ Return<bool> DescramblerImpl::requiresSecureDecoderComponent(
70 return mPlugin->requiresSecureDecoderComponent(String8(mime.c_str())); 71 return mPlugin->requiresSecureDecoderComponent(String8(mime.c_str()));
71} 72}
72 73
74static inline bool validateRangeForSize(
75 uint64_t offset, uint64_t length, uint64_t size) {
76 return isInRange<uint64_t, uint64_t>(0, size, offset, length);
77}
78
73Return<void> DescramblerImpl::descramble( 79Return<void> DescramblerImpl::descramble(
74 ScramblingControl scramblingControl, 80 ScramblingControl scramblingControl,
75 const hidl_vec<SubSample>& subSamples, 81 const hidl_vec<SubSample>& subSamples,
@@ -81,12 +87,57 @@ Return<void> DescramblerImpl::descramble(
81 ALOGV("%s", __FUNCTION__); 87 ALOGV("%s", __FUNCTION__);
82 88
83 sp<IMemory> srcMem = mapMemory(srcBuffer.heapBase); 89 sp<IMemory> srcMem = mapMemory(srcBuffer.heapBase);
90
91 // Validate if the offset and size in the SharedBuffer is consistent with the
92 // mapped ashmem, since the offset and size is controlled by client.
93 if (srcMem == NULL) {
94 ALOGE("Failed to map src buffer.");
95 _hidl_cb(toStatus(BAD_VALUE), 0, NULL);
96 return Void();
97 }
98 if (!validateRangeForSize(
99 srcBuffer.offset, srcBuffer.size, (uint64_t)srcMem->getSize())) {
100 ALOGE("Invalid src buffer range: offset %llu, size %llu, srcMem size %llu",
101 srcBuffer.offset, srcBuffer.size, (uint64_t)srcMem->getSize());
102 android_errorWriteLog(0x534e4554, "67962232");
103 _hidl_cb(toStatus(BAD_VALUE), 0, NULL);
104 return Void();
105 }
106
107 // use 64-bit here to catch bad subsample size that might be overflowing.
108 uint64_t totalBytesInSubSamples = 0;
109 for (size_t i = 0; i < subSamples.size(); i++) {
110 totalBytesInSubSamples += (uint64_t)subSamples[i].numBytesOfClearData +
111 subSamples[i].numBytesOfEncryptedData;
112 }
113 // Further validate if the specified srcOffset and requested total subsample size
114 // is consistent with the source shared buffer size.
115 if (!validateRangeForSize(srcOffset, totalBytesInSubSamples, srcBuffer.size)) {
116 ALOGE("Invalid srcOffset and subsample size: "
117 "srcOffset %llu, totalBytesInSubSamples %llu, srcBuffer size %llu",
118 srcOffset, totalBytesInSubSamples, srcBuffer.size);
119 android_errorWriteLog(0x534e4554, "67962232");
120 _hidl_cb(toStatus(BAD_VALUE), 0, NULL);
121 return Void();
122 }
123
84 void *srcPtr = (uint8_t *)(void *)srcMem->getPointer() + srcBuffer.offset; 124 void *srcPtr = (uint8_t *)(void *)srcMem->getPointer() + srcBuffer.offset;
85 void *dstPtr = NULL; 125 void *dstPtr = NULL;
86 if (dstBuffer.type == BufferType::SHARED_MEMORY) { 126 if (dstBuffer.type == BufferType::SHARED_MEMORY) {
87 // When using shared memory, src buffer is also used as dst, 127 // When using shared memory, src buffer is also used as dst,
88 // we don't map it again here. 128 // we don't map it again here.
89 dstPtr = srcPtr; 129 dstPtr = srcPtr;
130
131 // In this case the dst and src would be the same buffer, need to validate
132 // dstOffset against the buffer size too.
133 if (!validateRangeForSize(dstOffset, totalBytesInSubSamples, srcBuffer.size)) {
134 ALOGE("Invalid dstOffset and subsample size: "
135 "dstOffset %llu, totalBytesInSubSamples %llu, srcBuffer size %llu",
136 dstOffset, totalBytesInSubSamples, srcBuffer.size);
137 android_errorWriteLog(0x534e4554, "67962232");
138 _hidl_cb(toStatus(BAD_VALUE), 0, NULL);
139 return Void();
140 }
90 } else { 141 } else {
91 native_handle_t *handle = const_cast<native_handle_t *>( 142 native_handle_t *handle = const_cast<native_handle_t *>(
92 dstBuffer.secureMemory.getNativeHandle()); 143 dstBuffer.secureMemory.getNativeHandle());