diff options
| author | Chih-Yu Huang <akahuang@google.com> | 2020-08-20 13:44:59 +0900 |
|---|---|---|
| committer | Chih-Yu Huang <akahuang@google.com> | 2020-08-20 13:46:45 +0900 |
| commit | 3d283c3f5896869489a125fc1feb7732119ba197 (patch) | |
| tree | 5f105ef36d1fb0a400ea9d887f6aa43be1ce00b5 /components | |
| parent | 224de3d78dbde2154f8faaef39d3979f01b57abc (diff) | |
| download | v4l2_codec2-3d283c3f5896869489a125fc1feb7732119ba197.tar.gz | |
V4L2DecodeComponent: Limit the resolution of the output buffers
Malicious video playback might set extremely large resolution during
decoding, to exhaust the system memory.
In this CL, V4L2DecodeComponent checks if the resolution of the output
buffers are larger than the maximum supported size 4096x4096. If so,
V4L2DecodeComponent will notify the Codec2 framework that error occurs
and exit gracefully.
Bug: 157113946
Test: pass tast.arc.VideoDecodeAccel.h264_vm
Change-Id: I94a5223d7d3d734ffca06064cf375944e28f68b1
Diffstat (limited to 'components')
| -rw-r--r-- | components/V4L2DecodeComponent.cpp | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/components/V4L2DecodeComponent.cpp b/components/V4L2DecodeComponent.cpp index 49f04d6..0548267 100644 --- a/components/V4L2DecodeComponent.cpp +++ b/components/V4L2DecodeComponent.cpp @@ -264,6 +264,16 @@ void V4L2DecodeComponent::getVideoFramePool(std::unique_ptr<VideoFramePool>* poo ALOGV("%s()", __func__); ALOG_ASSERT(mDecoderTaskRunner->RunsTasksInCurrentSequence()); + // (b/157113946): Prevent malicious dynamic resolution change exhausts system memory. + constexpr int kMaximumSupportedArea = 4096 * 4096; + if (size.width() * size.height() > kMaximumSupportedArea) { + ALOGE("The output size (%dx%d) is larger than supported size (4096x4096)", size.width(), + size.height()); + reportError(C2_BAD_VALUE); + *pool = nullptr; + return; + } + // Get block pool ID configured from the client. auto poolId = mIntfImpl->getBlockPoolId(); ALOGI("Using C2BlockPool ID = %" PRIu64 " for allocating output buffers", poolId); |