diff options
Diffstat (limited to 'cas/1.0/default/DescramblerImpl.cpp')
-rw-r--r-- | cas/1.0/default/DescramblerImpl.cpp | 53 |
1 files changed, 52 insertions, 1 deletions
diff --git a/cas/1.0/default/DescramblerImpl.cpp b/cas/1.0/default/DescramblerImpl.cpp index 3d90809c..36699baf 100644 --- a/cas/1.0/default/DescramblerImpl.cpp +++ b/cas/1.0/default/DescramblerImpl.cpp | |||
@@ -18,8 +18,9 @@ | |||
18 | #define LOG_TAG "android.hardware.cas@1.0-DescramblerImpl" | 18 | #define LOG_TAG "android.hardware.cas@1.0-DescramblerImpl" |
19 | 19 | ||
20 | #include <hidlmemory/mapping.h> | 20 | #include <hidlmemory/mapping.h> |
21 | #include <media/hardware/CryptoAPI.h> | ||
22 | #include <media/cas/DescramblerAPI.h> | 21 | #include <media/cas/DescramblerAPI.h> |
22 | #include <media/hardware/CryptoAPI.h> | ||
23 | #include <media/stagefright/foundation/AUtils.h> | ||
23 | #include <utils/Log.h> | 24 | #include <utils/Log.h> |
24 | 25 | ||
25 | #include "DescramblerImpl.h" | 26 | #include "DescramblerImpl.h" |
@@ -70,6 +71,11 @@ Return<bool> DescramblerImpl::requiresSecureDecoderComponent( | |||
70 | return mPlugin->requiresSecureDecoderComponent(String8(mime.c_str())); | 71 | return mPlugin->requiresSecureDecoderComponent(String8(mime.c_str())); |
71 | } | 72 | } |
72 | 73 | ||
74 | static inline bool validateRangeForSize( | ||
75 | uint64_t offset, uint64_t length, uint64_t size) { | ||
76 | return isInRange<uint64_t, uint64_t>(0, size, offset, length); | ||
77 | } | ||
78 | |||
73 | Return<void> DescramblerImpl::descramble( | 79 | Return<void> DescramblerImpl::descramble( |
74 | ScramblingControl scramblingControl, | 80 | ScramblingControl scramblingControl, |
75 | const hidl_vec<SubSample>& subSamples, | 81 | const hidl_vec<SubSample>& subSamples, |
@@ -81,12 +87,57 @@ Return<void> DescramblerImpl::descramble( | |||
81 | ALOGV("%s", __FUNCTION__); | 87 | ALOGV("%s", __FUNCTION__); |
82 | 88 | ||
83 | sp<IMemory> srcMem = mapMemory(srcBuffer.heapBase); | 89 | sp<IMemory> srcMem = mapMemory(srcBuffer.heapBase); |
90 | |||
91 | // Validate if the offset and size in the SharedBuffer is consistent with the | ||
92 | // mapped ashmem, since the offset and size is controlled by client. | ||
93 | if (srcMem == NULL) { | ||
94 | ALOGE("Failed to map src buffer."); | ||
95 | _hidl_cb(toStatus(BAD_VALUE), 0, NULL); | ||
96 | return Void(); | ||
97 | } | ||
98 | if (!validateRangeForSize( | ||
99 | srcBuffer.offset, srcBuffer.size, (uint64_t)srcMem->getSize())) { | ||
100 | ALOGE("Invalid src buffer range: offset %llu, size %llu, srcMem size %llu", | ||
101 | srcBuffer.offset, srcBuffer.size, (uint64_t)srcMem->getSize()); | ||
102 | android_errorWriteLog(0x534e4554, "67962232"); | ||
103 | _hidl_cb(toStatus(BAD_VALUE), 0, NULL); | ||
104 | return Void(); | ||
105 | } | ||
106 | |||
107 | // use 64-bit here to catch bad subsample size that might be overflowing. | ||
108 | uint64_t totalBytesInSubSamples = 0; | ||
109 | for (size_t i = 0; i < subSamples.size(); i++) { | ||
110 | totalBytesInSubSamples += (uint64_t)subSamples[i].numBytesOfClearData + | ||
111 | subSamples[i].numBytesOfEncryptedData; | ||
112 | } | ||
113 | // Further validate if the specified srcOffset and requested total subsample size | ||
114 | // is consistent with the source shared buffer size. | ||
115 | if (!validateRangeForSize(srcOffset, totalBytesInSubSamples, srcBuffer.size)) { | ||
116 | ALOGE("Invalid srcOffset and subsample size: " | ||
117 | "srcOffset %llu, totalBytesInSubSamples %llu, srcBuffer size %llu", | ||
118 | srcOffset, totalBytesInSubSamples, srcBuffer.size); | ||
119 | android_errorWriteLog(0x534e4554, "67962232"); | ||
120 | _hidl_cb(toStatus(BAD_VALUE), 0, NULL); | ||
121 | return Void(); | ||
122 | } | ||
123 | |||
84 | void *srcPtr = (uint8_t *)(void *)srcMem->getPointer() + srcBuffer.offset; | 124 | void *srcPtr = (uint8_t *)(void *)srcMem->getPointer() + srcBuffer.offset; |
85 | void *dstPtr = NULL; | 125 | void *dstPtr = NULL; |
86 | if (dstBuffer.type == BufferType::SHARED_MEMORY) { | 126 | if (dstBuffer.type == BufferType::SHARED_MEMORY) { |
87 | // When using shared memory, src buffer is also used as dst, | 127 | // When using shared memory, src buffer is also used as dst, |
88 | // we don't map it again here. | 128 | // we don't map it again here. |
89 | dstPtr = srcPtr; | 129 | dstPtr = srcPtr; |
130 | |||
131 | // In this case the dst and src would be the same buffer, need to validate | ||
132 | // dstOffset against the buffer size too. | ||
133 | if (!validateRangeForSize(dstOffset, totalBytesInSubSamples, srcBuffer.size)) { | ||
134 | ALOGE("Invalid dstOffset and subsample size: " | ||
135 | "dstOffset %llu, totalBytesInSubSamples %llu, srcBuffer size %llu", | ||
136 | dstOffset, totalBytesInSubSamples, srcBuffer.size); | ||
137 | android_errorWriteLog(0x534e4554, "67962232"); | ||
138 | _hidl_cb(toStatus(BAD_VALUE), 0, NULL); | ||
139 | return Void(); | ||
140 | } | ||
90 | } else { | 141 | } else { |
91 | native_handle_t *handle = const_cast<native_handle_t *>( | 142 | native_handle_t *handle = const_cast<native_handle_t *>( |
92 | dstBuffer.secureMemory.getNativeHandle()); | 143 | dstBuffer.secureMemory.getNativeHandle()); |