diff options
author | Praveen Chavan <pchavan@codeaurora.org> | 2016-09-16 18:48:20 -0700 |
---|---|---|
committer | Marco Nelissen <marcone@google.com> | 2016-10-18 13:56:59 -0700 |
commit | 7b99376ecf7a6746e3bcb146975c00fc9ea560ab (patch) | |
tree | a758aff774c2533ea0e0fab47adfff5f6e3b88a7 /msm8996 | |
parent | e051241fbdc0203cfcf4bacb304e7df650490cfa (diff) | |
download | media-7b99376ecf7a6746e3bcb146975c00fc9ea560ab.tar.gz |
mm-video-v4l2: vdec: Disallow input usebuffer for secure case
In secure mode, input buffer _must_ be allocated by the component to
allocate a secure buffer.
Client-supplied memory via usebuffer does not qualify as secure-memory
and must be rejected. This also avoids accidental heap-overflow while
copying bitstream from user-memory to a smaller-sized secure-payload
(usually the buffer-header itself)
Bug : 30148882
Fixes : Heap Overflow/LPE in MediaServer (libOmxVdec problem #11)
CRs-Fixed: 1071731
Change-Id: Ibbde2d6a9c1f30e8482a533cadb13e44d8dcb2c0
Diffstat (limited to 'msm8996')
-rw-r--r-- | msm8996/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/msm8996/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp b/msm8996/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp index 806521f..bf363e8 100644 --- a/msm8996/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp +++ b/msm8996/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp @@ -5769,6 +5769,12 @@ OMX_ERRORTYPE omx_vdec::use_input_heap_buffers( { DEBUG_PRINT_LOW("Inside %s, %p", __FUNCTION__, buffer); OMX_ERRORTYPE eRet = OMX_ErrorNone; + + if (secure_mode) { + DEBUG_PRINT_ERROR("use_input_heap_buffers is not allowed in secure mode"); + return OMX_ErrorUndefined; + } + if (!m_inp_heap_ptr) m_inp_heap_ptr = (OMX_BUFFERHEADERTYPE*) calloc( (sizeof(OMX_BUFFERHEADERTYPE)), @@ -7012,7 +7018,7 @@ OMX_ERRORTYPE omx_vdec::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE hComp, /*for use buffer we need to memcpy the data*/ temp_buffer->buffer_len = buffer->nFilledLen; - if (input_use_buffer && temp_buffer->bufferaddr) { + if (input_use_buffer && temp_buffer->bufferaddr && !secure_mode) { if (buffer->nFilledLen <= temp_buffer->buffer_len) { if (arbitrary_bytes) { memcpy (temp_buffer->bufferaddr, (buffer->pBuffer + buffer->nOffset),buffer->nFilledLen); |