diff options
| author | Lajos Molnar <lajos@google.com> | 2017-09-06 19:41:19 -0700 |
|---|---|---|
| committer | Andreas Blaesius <skate4life@gmx.de> | 2018-01-12 19:01:48 +0000 |
| commit | 19d12edc1aad955ecd2e2b1bc786f1e7acb5fe0c (patch) | |
| tree | 72d67161d6562928db7c9ff7ea67670538703826 | |
| parent | 80de27ec697625eb965893bbeced75214b998bca (diff) | |
| download | frameworks_av-19d12edc1aad955ecd2e2b1bc786f1e7acb5fe0c.tar.gz frameworks_av-19d12edc1aad955ecd2e2b1bc786f1e7acb5fe0c.tar.bz2 frameworks_av-19d12edc1aad955ecd2e2b1bc786f1e7acb5fe0c.zip | |
Backport: OMXNodeInstance: use a lock around OMX::freeNode
This is to avoid a concurrent use after free if other OMX commands
are being executed before the node is marked as deleted.
Bug: 63666573
Backport:
Wrap into #ifndef/#endif statement to allow skipping this patch
for specific devices by adding the following directive into the
BoardConfig.mk or BoardConfigCommon.mk file of the device repo:
TARGET_RELEASE_CPPFLAGS += -DSKIP_CVE_2017_13154
Change-Id: I7720dd900bfa252f8675e0c56191adbf52aa957e
CVE-2017-13154
| -rw-r--r-- | media/libstagefright/omx/OMXNodeInstance.cpp | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/media/libstagefright/omx/OMXNodeInstance.cpp b/media/libstagefright/omx/OMXNodeInstance.cpp index 04d0b258aa..6f1ba9b6bb 100644 --- a/media/libstagefright/omx/OMXNodeInstance.cpp +++ b/media/libstagefright/omx/OMXNodeInstance.cpp @@ -378,6 +378,10 @@ status_t OMXNodeInstance::freeNode(OMXMaster *master) { break; } +#ifndef SKIP_CVE_2017_13154 + Mutex::Autolock _l(mLock); +#endif + ALOGV("[%x:%s] calling destroyComponentInstance", mNodeID, mName); OMX_ERRORTYPE err = master->destroyComponentInstance( static_cast<OMX_COMPONENTTYPE *>(mHandle)); |