Tad af360bc9ea
20.0: October ASB picks
wget c873988898.patch -O telecomm-01.patch
wget 0fb5786dbf.patch -O mediaprovider-01.patch
wget 1a4b9ef510.patch -O wifi-01.patch
wget 364a1d9962.patch -O bluetooth-01.patch
wget 87a06448b9.patch -O settings-01.patch
wget aaba724a68.patch -O settings-02.patch
wget 507304e1f5.patch -O native-01.patch
wget 89489ff5dd.patch -O base-01.patch
wget d1765c4715.patch -O base-02.patch
wget cbb1a0ecd6.patch -O base-03.patch
wget 4725772c0b.patch -O base-04.patch
wget 19747f6923.patch -O base-05.patch
wget e7a1aa9ed0.patch -O base-06.patch
wget 922a7860b1.patch -O base-07.patch
wget ed183ed912.patch -O base-08.patch
wget c6fbe1330a.patch -O base-09.patch
wget 9141cac175.patch -O base-10.patch
wget 41235bcc67.patch -O av-01.patch
wget a89f704701.patch -O av-02.patch
wget 6d7cd80d77.patch -O av-03.patch
wget 75fc175a08.patch -O av-04.patch
wget b023ec300f.patch -O av-05.patch
wget c8117d1539.patch -O av-06.patch
wget f06d23d824.patch -O av-07.patch
wget 9c7408ab07.patch -O av-08.patch
wget cfbfcefb3c.patch -O launcher-01.patch
wget 4a27a7f162.patch -O libxml-01.patch

Signed-off-by: Tad <tad@spotco.us>
2023-10-03 14:42:00 -04:00

50 lines
2.4 KiB
Diff

From 41235bcc67a2122bc1d6a4d19e8356b3d1ada91e Mon Sep 17 00:00:00 2001
From: Kyle Zhang <kelzhan@google.com>
Date: Fri, 10 Mar 2023 00:06:16 +0000
Subject: [PATCH] Fix mSession NULL dereference
Bug: 230793853
Test: clearkeyV1.4_fuzzer
Change-Id: I3f11b133a4854a9ef896c9f5042bd719527c3fa6
---
drm/mediadrm/plugins/clearkey/aidl/CryptoPlugin.cpp | 3 +++
drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp | 4 ++++
2 files changed, 7 insertions(+)
diff --git a/drm/mediadrm/plugins/clearkey/aidl/CryptoPlugin.cpp b/drm/mediadrm/plugins/clearkey/aidl/CryptoPlugin.cpp
index afc9b6a9a4..a63471fd53 100644
--- a/drm/mediadrm/plugins/clearkey/aidl/CryptoPlugin.cpp
+++ b/drm/mediadrm/plugins/clearkey/aidl/CryptoPlugin.cpp
@@ -137,6 +137,8 @@ ::ndk::ScopedAStatus CryptoPlugin::decrypt(const DecryptArgs& in_args, int32_t*
*_aidl_return = static_cast<ssize_t>(offset);
return toNdkScopedAStatus(Status::OK);
} else if (in_args.mode == Mode::AES_CTR) {
+ if (!mSession) return toNdkScopedAStatus(Status::ERROR_DRM_CANNOT_HANDLE,
+ "session not found");
size_t bytesDecrypted{};
std::vector<int32_t> clearDataLengths;
std::vector<int32_t> encryptedDataLengths;
@@ -149,6 +151,7 @@ ::ndk::ScopedAStatus CryptoPlugin::decrypt(const DecryptArgs& in_args, int32_t*
detailedError = "invalid decrypt parameter size";
return toNdkScopedAStatus(Status::ERROR_DRM_CANNOT_HANDLE, detailedError);
}
+
auto res =
mSession->decrypt(in_args.keyId.data(), in_args.iv.data(),
srcPtr, static_cast<uint8_t*>(destPtr),
diff --git a/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp b/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp
index 7bc320db6b..64a43b0af7 100644
--- a/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp
+++ b/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp
@@ -211,6 +211,10 @@ Return<void> CryptoPlugin::decrypt_1_2(
_hidl_cb(Status_V1_2::ERROR_DRM_CANNOT_HANDLE, 0, "invalid decrypt parameter size");
return Void();
}
+ if (!mSession) {
+ _hidl_cb(Status_V1_2::ERROR_DRM_CANNOT_HANDLE, 0, "session not found");
+ return Void();
+ }
Status_V1_2 res = mSession->decrypt(keyId.data(), iv.data(), srcPtr,
static_cast<uint8_t*>(destPtr), toVector(subSamples), &bytesDecrypted);
if (res == Status_V1_2::OK) {