android_hardware_qcom_media, branch cm-14.1-caf-8974 Unnamed repository; edit this file 'description' to name the repository. mm-video-v4l2: Protect buffer access and increase input buffer size 2018-09-07T22:21:14+00:00 Santhosh Behara santhoshbehara@codeaurora.org 2018-05-15T13:09:50+00:00 30ca21aa842ab082a25678869f223837e78cc789 Protect buffer access for below scenarios: *Increase the scope of buf_lock in free_buffer to avoid access of freed buffer for both input and output buffers. Also, add check before output buffer access. *Disallow allocate buffer mode after client has called use buffer. Allocate additional 512 bytes of memory for input buffers on top of allocation size as per hardware requirement. Bug: 64340487 Test: ran POC on bullhead/nyc-dev Change-Id: Iabbb2d7e00ff97bfc47b04386feec66976fca99a (cherry picked from commit 83aeab22d1bdc493b3ea2f50616bb8fd460d6c74) 
Protect buffer access for below scenarios:

*Increase the scope of buf_lock in free_buffer to avoid access
 of freed buffer for both input and output buffers. Also, add check
 before output buffer access.

*Disallow allocate buffer mode after client has called use buffer.

Allocate additional 512 bytes of memory for input buffers on top of
allocation size as per hardware requirement.

Bug: 64340487
Test: ran POC on bullhead/nyc-dev
Change-Id: Iabbb2d7e00ff97bfc47b04386feec66976fca99a
(cherry picked from commit 83aeab22d1bdc493b3ea2f50616bb8fd460d6c74)
mm-video-v4l2: vdec: Disallow changing buffer modes/counts on allocated ports 2018-04-14T20:05:17+00:00 Praveen Chavan pchavan@codeaurora.org 2016-08-17T19:19:29+00:00 58207a2eaaa5cdd7868358b79d7ffabc26c42bf4 Changing Count, size, usage-mode (metadata/bytebuffer/native-handle) or allocation-mode (allocateBuffer/UseBuffer) of buffers should only be allowed when the port hasn't been allocated yet. Since buffer-modes determine the payload-size in case of meta-buffer-mode, and also determine the memory-base to derive buffer indices from buffer- headers, letting the client change count/size/mode on a pre-allocated port will cause inconsistencies in the size of memory allocated for headers and lead to index overflows. Fix the range checks for the derived buffer-indices to avoid out-of-bounds writes. Also, ensure buffer-mode settings (metadata-mode, native-handle-mode) are intended for the right ports. Bug: 29617572 : Heap Overflow/LPE in MediaServer (libOmxVdec problem #8) Bug: 29982686 : Memory Write/LPE in MediaServer (libOmxVdec problem #10) Change-Id: I619636a48779580c247bffb3752c3e4025b46542 
Changing Count, size, usage-mode (metadata/bytebuffer/native-handle) or
allocation-mode (allocateBuffer/UseBuffer) of buffers should only be
allowed when the port hasn't been allocated yet.
Since buffer-modes determine the payload-size in case of meta-buffer-mode,
and also determine the memory-base to derive buffer indices from buffer-
headers, letting the client change count/size/mode on a pre-allocated port
will cause inconsistencies in the size of memory allocated for headers and
lead to index overflows.

Fix the range checks for the derived buffer-indices to avoid out-of-bounds
writes.

Also, ensure buffer-mode settings (metadata-mode, native-handle-mode)
are intended for the right ports.

Bug: 29617572 : Heap Overflow/LPE in MediaServer (libOmxVdec problem #8)
Bug: 29982686 :  Memory Write/LPE in MediaServer (libOmxVdec problem #10)

Change-Id: I619636a48779580c247bffb3752c3e4025b46542
mm-video-v4l2: venc: Disallow changing buffer count/size on allocated port 2018-04-14T20:04:55+00:00 Praveen Chavan pchavan@codeaurora.org 2016-08-17T08:47:57+00:00 2a2ce7e5512b7d9d4acbac8e49f4891c76d2cfc9 Count and size negotiation of port-buffers should only be allowed when the port hasn't been allocated yet. Letting the client change count/size on a pre-allocated port will cause inconsistencies in the count/size of memory allocated for headers and internal lists. Fix resetting of buffer-base (m_inp_mem_ptr) when all buffers are freed, for all the buffer-modes. Bug: 29421682 Change-Id: I9abead969bc3c908e6db9beb6316fd572dac25f7 Fixes: Local Privilege Escalation in MediaServer (libOmxVenc problem #10) 
Count and size negotiation of port-buffers should only be allowed when
the port hasn't been allocated yet.
Letting the client change count/size on a pre-allocated port will
cause inconsistencies in the count/size of memory allocated for
headers and internal lists.
Fix resetting of buffer-base (m_inp_mem_ptr) when all buffers are
freed, for all the buffer-modes.

Bug: 29421682
Change-Id: I9abead969bc3c908e6db9beb6316fd572dac25f7
Fixes: Local Privilege Escalation in MediaServer (libOmxVenc problem #10)
mm-video-v4l2: venc: Protect buffer from being freed while accessing 2017-09-10T18:25:29+00:00 Paras Nagda pnagda@codeaurora.org 2017-07-04T13:43:17+00:00 209a13cf50b52983443d99617c42ea6d2ec325fe Output buffer (in use-buffer mode) has an internal backup ion buffer. The contents of this buffer are deep-copied in client's buffer in the context of VideoEncCallBackThread; while this buffer can be freed in the client thread's context. Check the allocation bitmask before attempting to copy and synchronize these operations by holding a lock Fixes bug 36130225 Security Vulnerability - Heap use after free in libOmxVenc CRs-Fixed: 2053101 Change-Id: I6141e81d7dbd50bc3601c8df066fd8cbd06b4e0b 
Output buffer (in use-buffer mode) has an internal backup ion buffer.
The contents of this buffer are deep-copied in client's buffer in
the context of VideoEncCallBackThread; while this buffer can be
freed in the client thread's context.
Check the allocation bitmask before attempting to copy and
synchronize these operations by holding a lock

Fixes bug 36130225
 Security Vulnerability - Heap use after free in libOmxVenc

CRs-Fixed: 2053101

Change-Id: I6141e81d7dbd50bc3601c8df066fd8cbd06b4e0b
mm-video-v4l2: vdec: Fix makefile derp introduced in d443c0d 2017-03-13T15:25:20+00:00 Ashwin Ramesh ashwinr64@gmail.com 2017-03-13T15:24:21+00:00 4ff5e65212ac6b2735f750c154b16701a922f54f Change-Id: I0e004cf3ef85e148b2286bad8a7aea8130703ab2 
Change-Id: I0e004cf3ef85e148b2286bad8a7aea8130703ab2
media-caf msm8974: Fix typo in video decoder error check for debug output 2017-02-22T17:07:04+00:00 Corinna Vinschen xda@vinschen.de 2017-02-22T16:30:51+00:00 99eef721ecc527eaa42ab7d0ef21a9fd2d352abc Change-Id: I9e46b8c1be56c16bdb46a03d7777c93aed9fa5aa Signed-off-by: Corinna Vinschen <xda@vinschen.de> 
Change-Id: I9e46b8c1be56c16bdb46a03d7777c93aed9fa5aa
Signed-off-by: Corinna Vinschen <xda@vinschen.de>
mm-video-v4l2: vdec: Remove DivxDrm Decrypt support 2016-11-05T16:26:22+00:00 Abdulla Anam abdullahanam@codeaurora.org 2015-04-29T12:13:28+00:00 64a46c7e33f62eb57a90d109144472d3d17a66b9 Removing the divx drmDecrypt logic as it appears obsolete causing playback errors for clear Divx contents too Change-Id: I35e7b2b500f876a2379cbb5be10e272fa39954de 
Removing the divx drmDecrypt logic as it appears obsolete causing
playback errors for clear Divx contents too

Change-Id: I35e7b2b500f876a2379cbb5be10e272fa39954de
mm-video: Remove old video component 2016-11-05T16:26:16+00:00 Shalaj Jain shalajj@codeaurora.org 2014-07-11T20:14:50+00:00 d63f30549950289ee078235bf940632d88a0d86b Old video component is not used anymore along with the power module. Change-Id: Id46032ec665d654cc4115ecc1c4d5be062310dac 
Old video component is not used anymore along with the
power module.

Change-Id: Id46032ec665d654cc4115ecc1c4d5be062310dac
Remove leftover QCMediaPlayer files 2016-11-04T14:25:29+00:00 Michael Bestas mikeioannina@cyanogenmod.org 2016-11-04T14:18:42+00:00 79be6bb1719f472ca652d00916c6b59d114dc681 Commit e20c801118f537471c5443601c8505418eaff159 removed QCMediaPlayer but forgot to remove these files which were introduced in 7f64afefcc8b9f597582fc1aa5b799c150c2f443 Change-Id: Ife075c6a6ea4a1c600c8b52c40ca48a723618afb 
Commit e20c801118f537471c5443601c8505418eaff159 removed
QCMediaPlayer but forgot to remove these files which
were introduced in 7f64afefcc8b9f597582fc1aa5b799c150c2f443

Change-Id: Ife075c6a6ea4a1c600c8b52c40ca48a723618afb
mm-video-v4l2: vdec: allocate secure buffer as native_handle 2016-11-04T14:02:12+00:00 Praveen Chavan pchavan@codeaurora.org 2016-04-19T19:25:46+00:00 d443c0da38a5ec553da297676ff2e7fd2217002f Rather than stashing a file-descriptor directly in pBuffer, wrap the fd in a native_handle to enable client to pass fds safely to crypto process. [ashwin]: Adapt for msm8x74 HAL CRs-Fixed: 1006103 Bug: 26780972 Change-Id: Ica3beac395a0e63c1e0aeec061ec88bb9055a31f 
Rather than stashing a file-descriptor directly in pBuffer,
wrap the fd in a native_handle to enable client to pass
fds safely to crypto process.

[ashwin]: Adapt for msm8x74 HAL

CRs-Fixed: 1006103

Bug: 26780972
Change-Id: Ica3beac395a0e63c1e0aeec061ec88bb9055a31f