diff options
author | Praveen Chavan <pchavan@codeaurora.org> | 2016-03-30 18:34:17 -0700 |
---|---|---|
committer | Steve Pfetsch <spfetsch@google.com> | 2016-04-05 00:12:45 +0000 |
commit | 00c00c349f132b5bba20e26ed54d01e9be9f87e4 (patch) | |
tree | 724dc390b6bf381a7217459f847b98b14c645b13 | |
parent | ce256dab580d6601e34cf59642f642bd496952ae (diff) | |
download | media-00c00c349f132b5bba20e26ed54d01e9be9f87e4.tar.gz |
mm-video-v4l2: vdec: Add range check before native_buffer usage
Restore missing buffer-index calculation, without which,
native-handles were not being saved properly and NULL handles
got sent out to gralloc::setMetadata
A bad buffer index can cause the OMX component to make an out of
bound read/write access on the native_buffer array and cause a
crash. Add range check to fix the issue.
Bug: 25976027
Change-Id: I684a501a1a71898b5c1c80566125459a5972c959
-rw-r--r-- | msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp | 31 |
1 files changed, 25 insertions, 6 deletions
diff --git a/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp b/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp index 2895c83..23170fd 100644 --- a/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp +++ b/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp @@ -6426,9 +6426,20 @@ OMX_ERRORTYPE omx_vdec::fill_this_buffer(OMX_IN OMX_HANDLETYPE hComp, return OMX_ErrorBadParameter; } - //Store private handle from GraphicBuffer - native_buffer[nPortIndex].privatehandle = handle; - native_buffer[nPortIndex].nativehandle = handle; + //Fill outputbuffer with buffer details, this will be sent to f/w during VIDIOC_QBUF + nPortIndex = buffer-((OMX_BUFFERHEADERTYPE *)client_buffers.get_il_buf_hdr()); + if (nPortIndex < drv_ctx.op_buf.actualcount && + nPortIndex < MAX_NUM_INPUT_OUTPUT_BUFFERS) { + drv_ctx.ptr_outputbuffer[nPortIndex].pmem_fd = handle->fd; + drv_ctx.ptr_outputbuffer[nPortIndex].bufferaddr = (OMX_U8*) buffer; + + //Store private handle from GraphicBuffer + native_buffer[nPortIndex].privatehandle = handle; + native_buffer[nPortIndex].nativehandle = handle; + } else { + DEBUG_PRINT_ERROR("[FTB]Invalid native_buffer index: %d", nPortIndex); + return OMX_ErrorBadParameter; + } //buffer->nAllocLen will be sizeof(struct VideoDecoderOutputMetaData). Overwrite //this with a more sane size so that we don't compensate in rest of code @@ -7345,8 +7356,14 @@ OMX_ERRORTYPE omx_vdec::fill_buffer_done(OMX_HANDLETYPE hComp, } //Clear graphic buffer handles in dynamic mode - native_buffer[nPortIndex].privatehandle = NULL; - native_buffer[nPortIndex].nativehandle = NULL; + if (nPortIndex < drv_ctx.op_buf.actualcount && + nPortIndex < MAX_NUM_INPUT_OUTPUT_BUFFERS) { + native_buffer[nPortIndex].privatehandle = NULL; + native_buffer[nPortIndex].nativehandle = NULL; + } else { + DEBUG_PRINT_ERROR("[FBD]Invalid native_buffer index: %d", nPortIndex); + return OMX_ErrorBadParameter; + } } m_cb.FillBufferDone (hComp,m_app_data,il_buffer); } else { @@ -7365,7 +7382,9 @@ OMX_ERRORTYPE omx_vdec::fill_buffer_done(OMX_HANDLETYPE hComp, private_handle_t *private_handle = NULL; dim.sliceWidth = framesize.nWidth; dim.sliceHeight = framesize.nHeight; - if (native_buffer[buf_index].privatehandle) + if (buf_index < drv_ctx.op_buf.actualcount && + buf_index < MAX_NUM_INPUT_OUTPUT_BUFFERS && + native_buffer[buf_index].privatehandle) private_handle = native_buffer[buf_index].privatehandle; if (private_handle) { DEBUG_PRINT_LOW("set metadata: update buf-geometry with stride %d slice %d", |