From d99a08f99689df977dfc585a436ada5acf4f2a25 Mon Sep 17 00:00:00 2001 From: Praveen Chavan Date: Wed, 15 Jun 2016 17:51:39 -0700 Subject: mm-video-v4l2: venc: add checks before accessing heap pointers Heap pointers do not point to user virtual addresses in case of secure session. Set them to NULL and add checks to avoid accesing them Bug: 28815329 Bug: 28920116 Change-Id: I94fd5808e753b58654d65e175d3857ef46ffba26 --- .../mm-video-v4l2/vidc/venc/src/omx_video_base.cpp | 25 ++++++++++++++++------ .../vidc/venc/src/omx_video_encoder.cpp | 2 +- .../vidc/venc/src/video_encoder_device_v4l2.cpp | 10 +++++++++ 3 files changed, 29 insertions(+), 8 deletions(-) (limited to 'msm8974') diff --git a/msm8974/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp b/msm8974/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp index 3d77f30..cb24ec0 100644 --- a/msm8974/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp +++ b/msm8974/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp @@ -80,7 +80,6 @@ ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #define SZ_4K 0x1000 #define SZ_1M 0x100000 -#define SECURE_BUFPTR 0xDEADBEEF typedef struct OMXComponentCapabilityFlagsType { ////////////////// OMX COMPONENT CAPABILITY RELATED MEMBERS @@ -2260,7 +2259,7 @@ OMX_ERRORTYPE omx_video::use_input_buffer( m_pInput_pmem[i].size = m_sInPortDef.nBufferSize; m_pInput_pmem[i].offset = 0; - m_pInput_pmem[i].buffer = (OMX_U8 *)SECURE_BUFPTR; + m_pInput_pmem[i].buffer = NULL; if(!secure_session) { m_pInput_pmem[i].buffer = (unsigned char *)mmap( NULL,m_pInput_pmem[i].size,PROT_READ|PROT_WRITE, @@ -2268,6 +2267,7 @@ OMX_ERRORTYPE omx_video::use_input_buffer( if (m_pInput_pmem[i].buffer == MAP_FAILED) { DEBUG_PRINT_ERROR("ERROR: mmap() Failed"); + m_pInput_pmem[i].buffer = NULL; close(m_pInput_pmem[i].fd); #ifdef USE_ION free_ion_memory(&m_pInput_ion[i]); @@ -2451,7 +2451,7 @@ OMX_ERRORTYPE omx_video::use_output_buffer( m_pOutput_pmem[i].size = m_sOutPortDef.nBufferSize; m_pOutput_pmem[i].offset = 0; - m_pOutput_pmem[i].buffer = (OMX_U8 *)SECURE_BUFPTR; + m_pOutput_pmem[i].buffer = NULL; if(!secure_session) { #ifdef _MSM8974_ m_pOutput_pmem[i].buffer = (unsigned char *)mmap(NULL, @@ -2464,6 +2464,7 @@ OMX_ERRORTYPE omx_video::use_output_buffer( #endif if (m_pOutput_pmem[i].buffer == MAP_FAILED) { DEBUG_PRINT_ERROR("ERROR: mmap() Failed"); + m_pOutput_pmem[i].buffer = NULL; close(m_pOutput_pmem[i].fd); #ifdef USE_ION free_ion_memory(&m_pOutput_ion[i]); @@ -2862,13 +2863,14 @@ OMX_ERRORTYPE omx_video::allocate_input_buffer( m_pInput_pmem[i].size = m_sInPortDef.nBufferSize; m_pInput_pmem[i].offset = 0; - m_pInput_pmem[i].buffer = (OMX_U8 *)SECURE_BUFPTR; + m_pInput_pmem[i].buffer = NULL; if(!secure_session) { m_pInput_pmem[i].buffer = (unsigned char *)mmap(NULL, m_pInput_pmem[i].size,PROT_READ|PROT_WRITE, MAP_SHARED,m_pInput_pmem[i].fd,0); if (m_pInput_pmem[i].buffer == MAP_FAILED) { DEBUG_PRINT_ERROR("ERROR: mmap FAILED= %d", errno); + m_pInput_pmem[i].buffer = NULL; close(m_pInput_pmem[i].fd); #ifdef USE_ION free_ion_memory(&m_pInput_ion[i]); @@ -2879,6 +2881,10 @@ OMX_ERRORTYPE omx_video::allocate_input_buffer( //This should only be used for passing reference to source type and //secure handle fd struct native_handle_t* m_pInput_pmem[i].buffer = malloc(sizeof(OMX_U32) + sizeof(native_handle_t*)); + if (m_pInput_pmem[i].buffer == NULL) { + DEBUG_PRINT_ERROR("%s: failed to allocate native-handle", __func__); + return OMX_ErrorInsufficientResources; + } } (*bufferHdr)->pBuffer = (OMX_U8 *)m_pInput_pmem[i].buffer; @@ -3023,7 +3029,7 @@ OMX_ERRORTYPE omx_video::allocate_output_buffer( m_pOutput_pmem[i].size = m_sOutPortDef.nBufferSize; m_pOutput_pmem[i].offset = 0; - m_pOutput_pmem[i].buffer = (OMX_U8 *)SECURE_BUFPTR; + m_pOutput_pmem[i].buffer = NULL; if(!secure_session) { #ifdef _MSM8974_ m_pOutput_pmem[i].buffer = (unsigned char *)mmap(NULL, @@ -3036,6 +3042,7 @@ OMX_ERRORTYPE omx_video::allocate_output_buffer( #endif if (m_pOutput_pmem[i].buffer == MAP_FAILED) { DEBUG_PRINT_ERROR("ERROR: MMAP_FAILED in o/p alloc buffer"); + m_pOutput_pmem[i].buffer = NULL; close (m_pOutput_pmem[i].fd); #ifdef USE_ION free_ion_memory(&m_pOutput_ion[i]); @@ -3047,6 +3054,10 @@ OMX_ERRORTYPE omx_video::allocate_output_buffer( //This should only be used for passing reference to source type and //secure handle fd struct native_handle_t* m_pOutput_pmem[i].buffer = malloc(sizeof(OMX_U32) + sizeof(native_handle_t*)); + if (m_pOutput_pmem[i].buffer == NULL) { + DEBUG_PRINT_ERROR("%s: Failed to allocate native-handle", __func__); + return OMX_ErrorInsufficientResources; + } native_handle_t *handle = native_handle_create(1, 0); handle->data[0] = m_pOutput_pmem[i].fd; char *data = (char*) m_pOutput_pmem[i].buffer; @@ -3512,9 +3523,9 @@ OMX_ERRORTYPE omx_video::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE hComp, post_event ((unsigned long)buffer,0,OMX_COMPONENT_GENERATE_EBD); return OMX_ErrorBadParameter; } - } else if (input_use_buffer && !m_use_input_pmem) + } else if (input_use_buffer && !m_use_input_pmem && m_pInput_pmem[nBufIndex].buffer) #else - if (input_use_buffer && !m_use_input_pmem) + if (input_use_buffer && !m_use_input_pmem && m_pInput_pmem[nBufIndex].buffer) #endif { DEBUG_PRINT_LOW("Heap UseBuffer case, so memcpy the data"); diff --git a/msm8974/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp b/msm8974/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp index effa433..33a147b 100644 --- a/msm8974/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp +++ b/msm8974/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp @@ -2222,7 +2222,7 @@ int omx_venc::async_message_process (void *context, void* message) omxhdr->nFlags = m_sVenc_msg->buf.flags; /*Use buffer case*/ - if (omx->output_use_buffer && !omx->m_use_output_pmem) { + if (omx->output_use_buffer && !omx->m_use_output_pmem && !omx->is_secure_session()) { DEBUG_PRINT_LOW("memcpy() for o/p Heap UseBuffer"); memcpy(omxhdr->pBuffer, (m_sVenc_msg->buf.ptrbuffer), diff --git a/msm8974/mm-video-v4l2/vidc/venc/src/video_encoder_device_v4l2.cpp b/msm8974/mm-video-v4l2/vidc/venc/src/video_encoder_device_v4l2.cpp index 6319eab..b3b37d1 100644 --- a/msm8974/mm-video-v4l2/vidc/venc/src/video_encoder_device_v4l2.cpp +++ b/msm8974/mm-video-v4l2/vidc/venc/src/video_encoder_device_v4l2.cpp @@ -681,6 +681,11 @@ bool venc_dev::venc_get_output_log_flag() int venc_dev::venc_output_log_buffers(const char *buffer_addr, int buffer_len) { + if (venc_handle->is_secure_session()) { + DEBUG_PRINT_ERROR("logging secure output buffers is not allowed!"); + return -1; + } + if (!m_debug.outfile) { int size = 0; if(m_sVenc_cfg.codectype == V4L2_PIX_FMT_MPEG4) { @@ -764,6 +769,11 @@ int venc_dev::venc_extradata_log_buffers(char *buffer_addr) } int venc_dev::venc_input_log_buffers(OMX_BUFFERHEADERTYPE *pbuffer, int fd, int plane_offset) { + if (venc_handle->is_secure_session()) { + DEBUG_PRINT_ERROR("logging secure input buffers is not allowed!"); + return -1; + } + if (!m_debug.infile) { int size = snprintf(m_debug.infile_name, PROPERTY_VALUE_MAX, "%s/input_enc_%lu_%lu_%p.yuv", m_debug.log_loc, m_sVenc_cfg.input_width, m_sVenc_cfg.input_height, this); -- cgit v1.2.3