android_hardware_qcom_media, branch cm-13.0-caf-8994 Unnamed repository; edit this file 'description' to name the repository. mm-video-v4l2: vidc: Update version type for encoder aspect ratio 2018-02-09T18:46:00+00:00 Shiju Mathew shijum@codeaurora.org 2016-08-05T20:05:54+00:00 3d79d786368b15a89387d393beef9e13cf2123ad To allow avenhancement openmax port structure initialization. Change-Id: I5475b6fba663db7b3b247208ddd6ca691b0507d6 CVE-2017-11041 
To allow avenhancement openmax port structure initialization.

Change-Id: I5475b6fba663db7b3b247208ddd6ca691b0507d6
CVE-2017-11041
DO NOT MERGE: mm-video-v4l2: vdec: Disallow changing buffer modes/counts on allocated ports 2017-02-05T10:05:34+00:00 Mahesh Lanka mlanka@codeaurora.org 2016-08-25T10:48:21+00:00 2dbe29a6f57b7fc836fcc29519c1e694f3502aed Changing Count, size, usage-mode (metadata/bytebuffer/native-handle) or allocation-mode (allocateBuffer/UseBuffer) of buffers should only be allowed when the port hasn't been allocated yet. Since buffer-modes determine the payload-size in case of meta-buffer-mode, and also determine the memory-base to derive buffer indices from buffer- headers, letting the client change count/size/mode on a pre-allocated port will cause inconsistencies in the size of memory allocated for headers and lead to index overflows. Fix the range checks for the derived buffer-indices to avoid out-of-bounds writes. Also, ensure buffer-mode settings (metadata-mode, native-handle-mode) are intended for the right ports. Bug: 29617572 : Heap Overflow/LPE in MediaServer (libOmxVdec problem #8) Bug: 29982686 : Memory Write/LPE in MediaServer (libOmxVdec problem #10) Change-Id: I619636a48779580c247bffb3752c3e4025b46542 (cherry picked from commit 8676b1dc86274de4b733dfb6df198b3c4582218c) (cherry picked from commit d3ecffb926948c9a4583f511eb71a1127a27aafe) 
Changing Count, size, usage-mode (metadata/bytebuffer/native-handle) or
allocation-mode (allocateBuffer/UseBuffer) of buffers should only be
allowed when the port hasn't been allocated yet.
Since buffer-modes determine the payload-size in case of meta-buffer-mode,
and also determine the memory-base to derive buffer indices from buffer-
headers, letting the client change count/size/mode on a pre-allocated port
will cause inconsistencies in the size of memory allocated for headers and
lead to index overflows.
Fix the range checks for the derived buffer-indices to avoid out-of-bounds
writes.

Also, ensure buffer-mode settings (metadata-mode, native-handle-mode)
are intended for the right ports.

Bug: 29617572 : Heap Overflow/LPE in MediaServer (libOmxVdec problem #8)
Bug: 29982686 : Memory Write/LPE in MediaServer (libOmxVdec problem #10)

Change-Id: I619636a48779580c247bffb3752c3e4025b46542
(cherry picked from commit 8676b1dc86274de4b733dfb6df198b3c4582218c)
(cherry picked from commit d3ecffb926948c9a4583f511eb71a1127a27aafe)
mm-video-v4l2: venc: Disallow changing buffer count/size on allocated port 2017-01-22T15:38:57+00:00 Praveen Chavan pchavan@codeaurora.org 2016-08-17T08:47:57+00:00 c889ac2ffabced4bd17b74816a91cb3c0df23016 Count and size negotiation of port-buffers should only be allowed when the port hasn't been allocated yet. Letting the client change count/size on a pre-allocated port will cause inconsistencies in the count/size of memory allocated for headers and internal lists. Fix resetting of buffer-base (m_inp_mem_ptr) when all buffers are freed, for all the buffer-modes. Bug: 29421682 Fixes: Local Privilege Escalation in MediaServer (libOmxVenc problem #10) CRs-Fixed: 1055792 Change-Id: I9abead969bc3c908e6db9beb6316fd572dac25f7 mh0rst: Mitigates CVE-2016-6761 (cherry picked from commit e6f2b6f8ca6adffc7dfee84ee8f73468f8f95f16) 
Count and size negotiation of port-buffers should only be allowed when
the port hasn't been allocated yet.
Letting the client change count/size on a pre-allocated port will
cause inconsistencies in the count/size of memory allocated for
headers and internal lists.
Fix resetting of buffer-base (m_inp_mem_ptr) when all buffers are
freed, for all the buffer-modes.

Bug: 29421682
Fixes: Local Privilege Escalation in MediaServer (libOmxVenc problem #10)

CRs-Fixed: 1055792
Change-Id: I9abead969bc3c908e6db9beb6316fd572dac25f7
mh0rst: Mitigates CVE-2016-6761
(cherry picked from commit e6f2b6f8ca6adffc7dfee84ee8f73468f8f95f16)
mm-video-v4l2: vdec: Disallow input usebuffer for secure case 2016-12-12T20:11:47+00:00 Mahesh Lanka mlanka@codeaurora.org 2016-10-12T09:14:30+00:00 84a84d3f27f5b3192ec625a39e485861fe71cb8d In secure mode, input buffer _must_ be allocated by the component to allocate a secure buffer. Client-supplied memory via usebuffer does not qualify as secure-memory and must be rejected. This also avoids accidental heap-overflow while copying bitstream from user-memory to a smaller-sized secure-payload (usually the buffer-header itself) CYNGNOS-3312 Bug : 30148882 Fixes : Heap Overflow/LPE in MediaServer (libOmxVdec problem #11) Change-Id: I4f6017eae70d1b760a91be0cfcc356d380ec889b (cherry picked from commit fd304685bb097f9ea519893c064405ad5be1109e) (cherry picked from commit 229bb5e6a25eb4f9176b55bdc380b169b3618618) 
In secure mode, input buffer _must_ be allocated by the component to
allocate a secure buffer.
Client-supplied memory via usebuffer does not qualify as secure-memory
and must be rejected. This also avoids accidental heap-overflow while
copying bitstream from user-memory to a smaller-sized secure-payload
(usually the buffer-header itself)

CYNGNOS-3312
Bug : 30148882
Fixes : Heap Overflow/LPE in MediaServer (libOmxVdec problem #11)

Change-Id: I4f6017eae70d1b760a91be0cfcc356d380ec889b
(cherry picked from commit fd304685bb097f9ea519893c064405ad5be1109e)
(cherry picked from commit 229bb5e6a25eb4f9176b55bdc380b169b3618618)
DO NOT MERGE mm-video-v4l2: venc: add checks before 2016-08-02T18:45:19+00:00 Praveen Chavan pchavan@codeaurora.org 2016-07-07T23:44:52+00:00 4e82dac5255269cbfcf848ea935e1d835885e230 accessing heap pointers Heap pointers do not point to user virtual addresses in case of secure session. Set them to NULL and add checks to avoid accesing them Ticket: CYNGNOS-3177 Bug: 28815329 Bug: 28920116 Change-Id: I27d02331d9613f4b20949457a8634924e767864e 
 accessing heap pointers

Heap pointers do not point to user virtual addresses in case
of secure session.
Set them to NULL and add checks to avoid accesing them

Ticket: CYNGNOS-3177
Bug: 28815329
Bug: 28920116
Change-Id: I27d02331d9613f4b20949457a8634924e767864e
DO NOT MERGE Fix wrong nAllocLen 2016-08-02T18:45:12+00:00 Wonsik Kim wonsik@google.com 2016-07-07T23:38:55+00:00 1c3121949fef7582535ff49bfe8a47729fa77e76 Set nAllocLen to the size of the opaque handle itself. Ticket: CYNGNOS-3177 Bug: 28816964 Bug: 28816827 Change-Id: Id410e324bee291d4a0018dddb97eda9bbcded099 (cherry picked from commit 857df7fbafd5156d60df62d3ccb3cf7682b54197) 
Set nAllocLen to the size of the opaque handle itself.

Ticket: CYNGNOS-3177
Bug: 28816964
Bug: 28816827
Change-Id: Id410e324bee291d4a0018dddb97eda9bbcded099
(cherry picked from commit 857df7fbafd5156d60df62d3ccb3cf7682b54197)
mm-video-v4l2: venc: Avoid processing ETBs/FTBs in invalid states 2016-06-09T00:35:31+00:00 Praveen Chavan pchavan@codeaurora.org 2016-04-25T18:51:05+00:00 3eda402636964752430954806a6e9a8a4ce5cc9c (per the spec) ETB/FTB should not be handled in states other than Executing, Paused and Idle. This avoids accessing invalid buffers. Also add a lock to protect the private-buffers from being deleted while accessing from another thread. Bug: 27903498 Ticket: CYNGNOS-3020 Security Vulnerability - Heap Use-After-Free and Possible LPE in MediaServer (libOmxVenc problem #3) CRs-Fixed: 1010088 Change-Id: I898b42034c0add621d4f9d8e02ca0ed4403d4fd3 
(per the spec) ETB/FTB should not be handled in states other than
Executing, Paused and Idle. This avoids accessing invalid buffers.
Also add a lock to protect the private-buffers from being deleted
while accessing from another thread.

Bug: 27903498
Ticket: CYNGNOS-3020
Security Vulnerability - Heap Use-After-Free and Possible LPE in
MediaServer (libOmxVenc problem #3)

CRs-Fixed: 1010088

Change-Id: I898b42034c0add621d4f9d8e02ca0ed4403d4fd3
mm-video-v4l2: vdec: Avoid processing ETBs/FTBs in invalid states 2016-06-09T00:00:17+00:00 Praveen Chavan pchavan@codeaurora.org 2016-04-25T17:03:42+00:00 c08ba8cb5ea26791fe3765a34eab1af9cc722776 (per the spec) ETB/FTB should not be handled in states other than Executing, Paused and Idle. This avoids accessing invalid buffers. Also add a lock to protect the private-buffers from being deleted while accessing from another thread. Bug: 27890802 Security Vulnerability - Heap Use-After-Free and Possible LPE in MediaServer (libOmxVdec problem #6) CRs-Fixed: 1008882 Change-Id: Iaac2e383cd53cf9cf8042c9ed93ddc76dba3907e 
(per the spec) ETB/FTB should not be handled in states other than
Executing, Paused and Idle. This avoids accessing invalid buffers.
Also add a lock to protect the private-buffers from being deleted
while accessing from another thread.

Bug: 27890802
Security Vulnerability - Heap Use-After-Free and Possible LPE in
MediaServer (libOmxVdec problem #6)

CRs-Fixed: 1008882

Change-Id: Iaac2e383cd53cf9cf8042c9ed93ddc76dba3907e
mm-video-v4l2: vdec: deprecate unused config OMX_IndexVendorVideoExtraData 2016-05-07T00:25:54+00:00 Praveen Chavan pchavan@codeaurora.org 2016-04-12T00:32:32+00:00 007b032cfc5044223597164c4646b35f91fa67c5 This config (used to set header offline) is no longer used. Remove handling this config since it uses non-process-safe ways to pass memory pointers. Fixes: Security Vulnerability - Segfault in MediaServer (libOmxVdec problem #2) Bug: 27475409 Change-Id: I7a535a3da485cbe83cf4605a05f9faf70dcca42f 
This config (used to set header offline) is no longer used. Remove handling
this config since it uses non-process-safe ways to pass memory pointers.

Fixes: Security Vulnerability - Segfault in MediaServer (libOmxVdec problem #2)
Bug: 27475409

Change-Id: I7a535a3da485cbe83cf4605a05f9faf70dcca42f
mm-video-v4l2: venc: add safety checks for freeing buffers 2016-05-07T00:25:47+00:00 Praveen Chavan pchavan@codeaurora.org 2016-04-12T00:32:55+00:00 38176db94de4b4aecd591f2c1e016476fd1674e4 Allow only up to 64 buffers on input/output port (since the allocation bitmap is only 64-wide). Add safety checks to free only as many buffers were allocated. Fixes: Heap Overflow and Possible Local Privilege Escalation in MediaServer (libOmxVenc problem) Bug: 27532497 Change-Id: I31e576ef9dc542df73aa6b0ea113d72724b50fc6 
Allow only up to 64 buffers on input/output port (since the
allocation bitmap is only 64-wide).
Add safety checks to free only as many buffers were allocated.

Fixes: Heap Overflow and Possible Local Privilege Escalation in
MediaServer (libOmxVenc problem)
Bug: 27532497

Change-Id: I31e576ef9dc542df73aa6b0ea113d72724b50fc6