diff options
author | Santhosh Behara <santhoshbehara@codeaurora.org> | 2017-09-19 12:43:02 +0530 |
---|---|---|
committer | Dongwon Kang <dwkang@google.com> | 2017-10-09 13:06:38 -0700 |
commit | 38641613a6eb7b761429fcdfa31218e8c63c1c56 (patch) | |
tree | 33e2f319025c8641703bfa9899aa317105e47ff4 /msm8998 | |
parent | d53750a9db5b622fa19423ab82f0ee3ab1e25cbb (diff) | |
download | media-38641613a6eb7b761429fcdfa31218e8c63c1c56.tar.gz |
mm-video-v4l2: venc: Use client allocated memory if available
IL client may free the buffer and calls for free buffer on IL
component to free the buffer header. It may happen that the IL
component may reject the free buffer due to various reasons.
In such scenario, client might have already freed the memory
allocated by client (such scenario will appear in use buffer
mode of buffer allocation). Now accessing client buffer in
such scenario may lead to use after free vulnerability.
Added a flag to indicate if the client buffer is available to
perform any operation on the client allocated memory. If not,
restrict from doing any operation on client memory.
Bug: 62452543
CRs-Fixed: 2106434
Test: build & boot
Test: cts-tradefed run cts-dev --module CtsMediaTestCases --compatibility:module-arg
CtsMediaTestCases:include-annotation:android.platform.test.annotations.RequiresDevice
Change-Id: If24c36b9a1cca36a2728d3aec8ab589a48a9da35
Author: Vikash Garodia<vgarodia@codeaurora.org>
Diffstat (limited to 'msm8998')
-rw-r--r-- | msm8998/mm-video-v4l2/vidc/venc/inc/omx_video_base.h | 1 | ||||
-rw-r--r-- | msm8998/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp | 8 | ||||
-rw-r--r-- | msm8998/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp | 2 |
3 files changed, 10 insertions, 1 deletions
diff --git a/msm8998/mm-video-v4l2/vidc/venc/inc/omx_video_base.h b/msm8998/mm-video-v4l2/vidc/venc/inc/omx_video_base.h index afe31ef..26ca1f1 100644 --- a/msm8998/mm-video-v4l2/vidc/venc/inc/omx_video_base.h +++ b/msm8998/mm-video-v4l2/vidc/venc/inc/omx_video_base.h @@ -703,6 +703,7 @@ class omx_video: public qc_omx_component uint64_t m_out_bm_count; uint64_t m_client_out_bm_count; + uint64_t m_client_in_bm_count; uint64_t m_inp_bm_count; uint64_t m_flags; uint64_t m_etb_count; diff --git a/msm8998/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp b/msm8998/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp index 3bcd72c..003b2b6 100644 --- a/msm8998/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp +++ b/msm8998/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp @@ -290,6 +290,7 @@ omx_video::omx_video(): allocate_native_handle(false), m_out_bm_count(0), m_client_out_bm_count(0), + m_client_in_bm_count(0), m_inp_bm_count(0), m_flags(0), m_etb_count(0), @@ -2624,6 +2625,7 @@ OMX_ERRORTYPE omx_video::use_input_buffer( *bufferHdr = (m_inp_mem_ptr + i); BITMASK_SET(&m_inp_bm_count,i); + BITMASK_SET(&m_client_in_bm_count,i); (*bufferHdr)->pBuffer = (OMX_U8 *)buffer; (*bufferHdr)->nSize = sizeof(OMX_BUFFERHEADERTYPE); @@ -3643,6 +3645,10 @@ OMX_ERRORTYPE omx_video::free_buffer(OMX_IN OMX_HANDLETYPE hComp, nPortIndex = buffer - (OMX_BUFFERHEADERTYPE*)m_out_mem_ptr; if(BITMASK_PRESENT(&m_client_out_bm_count, nPortIndex)) BITMASK_CLEAR(&m_client_out_bm_count,nPortIndex); + } else if (port == PORT_INDEX_IN) { + nPortIndex = buffer - (meta_mode_enable?meta_buffer_hdr:m_inp_mem_ptr); + if(BITMASK_PRESENT(&m_client_in_bm_count, nPortIndex)) + BITMASK_CLEAR(&m_client_in_bm_count,nPortIndex); } if (m_state == OMX_StateIdle && (BITMASK_PRESENT(&m_flags ,OMX_COMPONENT_LOADING_PENDING))) { @@ -4004,7 +4010,7 @@ OMX_ERRORTYPE omx_video::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE hComp, auto_lock l(m_buf_lock); pmem_data_buf = (OMX_U8 *)m_pInput_pmem[nBufIndex].buffer; - if (pmem_data_buf && BITMASK_PRESENT(&m_inp_bm_count, nBufIndex)) { + if (pmem_data_buf && BITMASK_PRESENT(&m_client_in_bm_count, nBufIndex)) { memcpy (pmem_data_buf, (buffer->pBuffer + buffer->nOffset), buffer->nFilledLen); } diff --git a/msm8998/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp b/msm8998/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp index 20213b3..526ebb4 100644 --- a/msm8998/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp +++ b/msm8998/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp @@ -2391,6 +2391,8 @@ OMX_ERRORTYPE omx_venc::component_deinit(OMX_IN OMX_HANDLETYPE hComp) for (i=0; i<m_sInPortDef.nBufferCountActual; i++ ) { if (BITMASK_PRESENT(&m_inp_bm_count, i)) { BITMASK_CLEAR(&m_inp_bm_count, i); + if (BITMASK_PRESENT(&m_client_in_bm_count, i)) + BITMASK_CLEAR(&m_client_in_bm_count, i); free_input_buffer (&m_inp_mem_ptr[i]); } |