This fixes a critical bug that is due to heap corruption from the JPEG encoder.

It adds a mutex around the global allocation list used by the component, and adds the required padding around the LCML config buffer. Signed-off-by: Daniel Charles <dcharles@ti.com> Originally from: https://partner.source.android.com/g/#change,1103
author: Andrew Collins <andrewcollins@motorola.com> 2009-09-18 15:31:05 -0700
committer: James Dong <jdong@google.com> 2009-09-18 15:36:10 -0700
commit: bca73818821dde513097a412ae6f2539d927e588 (patch)
tree: 3c5d629d32a3c82e41acbe1744292a9b91a5f838 /omx
parent: 990117074ba37226d82be2f2ebe3739e488f848c (diff)
download: omap3-bca73818821dde513097a412ae6f2539d927e588.tar.gz
3 files changed, 25 insertions, 9 deletions
diff --git a/omx/image/src/openmax_il/jpeg_enc/inc/OMX_JpegEnc_Utils.h b/omx/image/src/openmax_il/jpeg_enc/inc/OMX_JpegEnc_Utils.h
index d59ab9d..1271df9 100644
--- a/omx/image/src/openmax_il/jpeg_enc/inc/OMX_JpegEnc_Utils.h
+++ b/omx/image/src/openmax_il/jpeg_enc/inc/OMX_JpegEnc_Utils.h
@@ -86,6 +86,8 @@
 #define COMP_MAX_NAMESIZE 127
 
 #define OMX_CustomCommandStopThread (OMX_CommandMax - 1)
+#define PADDING_128_BYTE 128
+#define PADDING_256_BYTE 256
 
 
 #ifdef UNDER_CE
@@ -114,6 +116,7 @@ typedef struct Node {
 
 typedef struct LinkedList {
     Node *pRoot;
+    pthread_mutex_t lock;
 }   LinkedList;
 
 LinkedList AllocList;
diff --git a/omx/image/src/openmax_il/jpeg_enc/src/OMX_JpegEnc_Utils.c b/omx/image/src/openmax_il/jpeg_enc/src/OMX_JpegEnc_Utils.c
index 1cad17c..d7d169e 100644
--- a/omx/image/src/openmax_il/jpeg_enc/src/OMX_JpegEnc_Utils.c
+++ b/omx/image/src/openmax_il/jpeg_enc/src/OMX_JpegEnc_Utils.c
@@ -2010,16 +2010,12 @@ OMX_ERRORTYPE HandleJpegEncFreeOutputBufferFromApp(JPEGENC_COMPONENT_PRIVATE *pC
     LCML_DSP_INTERFACE* pLcmlHandle = NULL;
     JPEGENC_BUFFER_PRIVATE* pBuffPrivate = NULL;
     int ret;
-#ifdef __JPEG_OMX_PPLIB_ENABLED__
-    OMX_U8 *ptInputParam;
-#endif
 
     OMX_PRINT1(pComponentPrivate->dbg, "Inside HandleFreeOutputBufferFromApp function\n");
     
     pLcmlHandle = (LCML_DSP_INTERFACE *)(pComponentPrivate->pLCML);
     pPortDefOut = pComponentPrivate->pCompPort[JPEGENC_OUT_PORT]->pPortDef;
 
-
     ret = read(pComponentPrivate->free_outBuf_Q[0], &pBuffHead, sizeof(pBuffHead));
     if ( ret == -1 ) {
         OMX_PRCOMM4(pComponentPrivate->dbg, "Error while reading from the pipe\n");
@@ -2074,9 +2070,11 @@ OMX_ERRORTYPE HandleJpegEncFreeOutputBufferFromApp(JPEGENC_COMPONENT_PRIVATE *pC
 #ifdef __JPEG_OMX_PPLIB_ENABLED__
     if (pComponentPrivate->pOutParams != NULL)
     {
+        pComponentPrivate->pOutParams = (OMX_U8*)pComponentPrivate->pOutParams - PADDING_128_BYTE;
         OMX_FREE(pComponentPrivate->pOutParams);
     }
-    OMX_MALLOC(pComponentPrivate->pOutParams,sizeof(PPLIB_UALGRunTimeParam_t));
+    OMX_MALLOC(pComponentPrivate->pOutParams,sizeof(PPLIB_UALGRunTimeParam_t) + PADDING_256_BYTE);
+    pComponentPrivate->pOutParams = (OMX_U8*)pComponentPrivate->pOutParams + PADDING_128_BYTE;
 
     if (pComponentPrivate->pOutParams != NULL)
     {
@@ -3136,6 +3134,7 @@ void ResourceManagerCallback(RMPROXY_COMMANDDATATYPE cbData)
 
 void LinkedList_Create(LinkedList *LinkedList) {
     LinkedList->pRoot = NULL;
+    pthread_mutex_init(&LinkedList->lock, NULL);
 }
 
 void LinkedList_AddElement(LinkedList *LinkedList, void *pValue) {
@@ -3145,6 +3144,8 @@ void LinkedList_AddElement(LinkedList *LinkedList, void *pValue) {
     /*printf("LinkedList:::: Pointer=%p has been added.\n", pNewNode->pValue); */
     /* add new node on the root to implement quick FIFO */
     /* modify new node pointers */
+
+    pthread_mutex_lock(&LinkedList->lock);
     if(LinkedList->pRoot == NULL) {
         pNewNode->pNextNode = NULL;
     }
@@ -3153,9 +3154,11 @@ void LinkedList_AddElement(LinkedList *LinkedList, void *pValue) {
     }
     /*modify root */
     LinkedList->pRoot = pNewNode;
+    pthread_mutex_unlock(&LinkedList->lock);
 }
 
 void LinkedList_FreeElement(LinkedList *LinkedList, void *pValue) {
+    pthread_mutex_lock(&LinkedList->lock);
     Node *pNode = LinkedList->pRoot;
     Node *pPastNode = NULL;
     while (pNode != NULL) {
@@ -3169,25 +3172,33 @@ void LinkedList_FreeElement(LinkedList *LinkedList, void *pValue) {
             }
             /*printf("LinkedList:::: Pointer=%p has been freed\n", pNode->pValue); */
             free(pNode->pValue);
+            pNode->pValue = NULL;
             free(pNode);
+            pNode = NULL;
             break;
         }
         pPastNode = pNode;
         pNode = pNode->pNextNode;
     }
+    pthread_mutex_unlock(&LinkedList->lock);
 }
 
 void LinkedList_FreeAll(LinkedList *LinkedList) {
     Node *pTempNode;
     int nodes = 0;
+    pthread_mutex_lock(&LinkedList->lock);
     while (LinkedList->pRoot != NULL) {
         pTempNode = LinkedList->pRoot->pNextNode;
         /*printf("LinkedList:::: Pointer=%p has been freed\n", LinkedList->pRoot->pValue); */
-        free(LinkedList->pRoot->pValue);
+        if(LinkedList->pRoot->pValue != NULL) {
+            free(LinkedList->pRoot->pValue);
+            LinkedList->pRoot->pValue = NULL;
+        }
         free(LinkedList->pRoot);
         LinkedList->pRoot = pTempNode;
         nodes++;
     }
+    pthread_mutex_unlock(&LinkedList->lock);
     /*printf("==================No. of deleted nodes: %d=======================================\n\n", nodes); */
 }
 
@@ -3201,9 +3212,9 @@ void LinkedList_DisplayAll(LinkedList *LinkedList) {
         pNode = pNode->pNextNode;
         nodes++;
     }
-     printf("==================No. of existing nodes: %d=======================================\n\n", nodes);
+    printf("==================No. of existing nodes: %d=======================================\n\n", nodes);
 }
 
 void LinkedList_Destroy(LinkedList *LinkedList) {
-    /* do nothing */
+    pthread_mutex_destroy(&LinkedList->lock);
 }
diff --git a/omx/image/src/openmax_il/jpeg_enc/src/OMX_JpegEncoder.c b/omx/image/src/openmax_il/jpeg_enc/src/OMX_JpegEncoder.c
index a6c8df7..6b49a80 100644
--- a/omx/image/src/openmax_il/jpeg_enc/src/OMX_JpegEncoder.c
+++ b/omx/image/src/openmax_il/jpeg_enc/src/OMX_JpegEncoder.c
@@ -528,7 +528,9 @@ OMX_ERRORTYPE OMX_ComponentInit (OMX_HANDLETYPE hComponent)
     pComponentPrivate->InParams.pInParams = NULL;
     pComponentPrivate->InParams.size = 0;   
     pComponentPrivate->bPreempted = OMX_FALSE;
-
+#ifdef __JPEG_OMX_PPLIB_ENABLED__
+    pComponentPrivate->pOutParams = NULL;
+#endif
     OMX_MALLOC(pComponentPrivate->pDynParams, sizeof(IDMJPGE_TIGEM_DynamicParams)+256);
     if (!pComponentPrivate->pDynParams) {
         eError = OMX_ErrorInsufficientResources;
author	Andrew Collins <andrewcollins@motorola.com>	2009-09-18 15:31:05 -0700
committer	James Dong <jdong@google.com>	2009-09-18 15:36:10 -0700
commit	bca73818821dde513097a412ae6f2539d927e588 (patch)
tree	3c5d629d32a3c82e41acbe1744292a9b91a5f838 /omx
parent	990117074ba37226d82be2f2ebe3739e488f848c (diff)
download	omap3-bca73818821dde513097a412ae6f2539d927e588.tar.gz