diff options
| author | Mahesh Lanka <mlanka@qti.qualcomm.com> | 2016-05-11 13:08:39 +0530 |
|---|---|---|
| committer | The Android Automerger <android-build@google.com> | 2016-05-26 15:20:04 -0700 |
| commit | 9cb3c42d1da2fa83652378dc4c2cf869fa50327e (patch) | |
| tree | d44c97fd23d15280ec60da7514a978eb212de498 | |
| parent | 2c017b758f7e03dfccf6987f171a3a77fc5bb743 (diff) | |
| download | media-lollipop-mr1-cts-release.tar.gz | |
DO NOT MERGE mm-video-v4l2: venc: Avoid processing ETBs/FTBs in invalid statesandroid-cts-5.1_r28android-cts-5.1_r27android-cts-5.1_r26android-cts-5.1_r25android-cts-5.1_r24android-cts-5.1_r23android-cts-5.1_r22android-cts-5.1_r21android-cts-5.1_r20android-cts-5.1_r19android-cts-5.1_r18android-cts-5.1_r17android-cts-5.1_r16android-cts-5.1_r15android-cts-5.1_r14android-cts-5.1_r13android-5.1.1_r38lollipop-mr1-releaselollipop-mr1-cts-release
(per the spec) ETB/FTB should not be handled in states other than
Executing, Paused and Idle. This avoids accessing invalid buffers.
Also add a lock to protect the private-buffers from being deleted
while accessing from another thread.
Bug: 27903498
Security Vulnerability - Heap Use-After-Free and Possible LPE in
MediaServer (libOmxVenc problem #3)
Change-Id: I898b42034c0add621d4f9d8e02ca0ed4403d4fd3
| -rw-r--r-- | mm-video-v4l2/vidc/venc/src/omx_video_base.cpp | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp index 7b5afeb..fcc7a0d 100644 --- a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp +++ b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp @@ -2554,6 +2554,8 @@ OMX_ERRORTYPE omx_video::free_input_buffer(OMX_BUFFERHEADERTYPE *bufferHdr) } if (index < m_sInPortDef.nBufferCountActual && m_pInput_pmem) { + auto_lock l(m_lock); + if (m_pInput_pmem[index].fd > 0 && input_use_buffer == false) { DEBUG_PRINT_LOW("FreeBuffer:: i/p AllocateBuffer case"); if(!secure_session) { @@ -2561,6 +2563,7 @@ OMX_ERRORTYPE omx_video::free_input_buffer(OMX_BUFFERHEADERTYPE *bufferHdr) } else { free(m_pInput_pmem[index].buffer); } + m_pInput_pmem[index].buffer = NULL; close (m_pInput_pmem[index].fd); #ifdef USE_ION free_ion_memory(&m_pInput_ion[index]); @@ -2574,6 +2577,7 @@ OMX_ERRORTYPE omx_video::free_input_buffer(OMX_BUFFERHEADERTYPE *bufferHdr) } if(!secure_session) { munmap (m_pInput_pmem[index].buffer,m_pInput_pmem[index].size); + m_pInput_pmem[index].buffer = NULL; } close (m_pInput_pmem[index].fd); #ifdef USE_ION @@ -3281,7 +3285,9 @@ OMX_ERRORTYPE omx_video::empty_this_buffer(OMX_IN OMX_HANDLETYPE hComp, unsigned int nBufferIndex ; DEBUG_PRINT_LOW("ETB: buffer = %p, buffer->pBuffer[%p]", buffer, buffer->pBuffer); - if (m_state == OMX_StateInvalid) { + if (m_state != OMX_StateExecuting && + m_state != OMX_StatePause && + m_state != OMX_StateIdle) { DEBUG_PRINT_ERROR("ERROR: Empty this buffer in Invalid State"); return OMX_ErrorInvalidState; } @@ -3453,9 +3459,13 @@ OMX_ERRORTYPE omx_video::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE hComp, #endif { DEBUG_PRINT_LOW("Heap UseBuffer case, so memcpy the data"); + + auto_lock l(m_lock); pmem_data_buf = (OMX_U8 *)m_pInput_pmem[nBufIndex].buffer; - memcpy (pmem_data_buf, (buffer->pBuffer + buffer->nOffset), - buffer->nFilledLen); + if (pmem_data_buf) { + memcpy (pmem_data_buf, (buffer->pBuffer + buffer->nOffset), + buffer->nFilledLen); + } DEBUG_PRINT_LOW("memcpy() done in ETBProxy for i/p Heap UseBuf"); } else if (mUseProxyColorFormat) { // Gralloc-source buffers with color-conversion @@ -3511,7 +3521,9 @@ OMX_ERRORTYPE omx_video::fill_this_buffer(OMX_IN OMX_HANDLETYPE hComp, OMX_IN OMX_BUFFERHEADERTYPE* buffer) { DEBUG_PRINT_LOW("FTB: buffer->pBuffer[%p]", buffer->pBuffer); - if (m_state == OMX_StateInvalid) { + if (m_state != OMX_StateExecuting && + m_state != OMX_StatePause && + m_state != OMX_StateIdle) { DEBUG_PRINT_ERROR("ERROR: FTB in Invalid State"); return OMX_ErrorInvalidState; } |