android_hardware_qcom_media, branch lineage-15.1-caf-8084 Unnamed repository; edit this file 'description' to name the repository. mm-video-v4l2: Protect buffer access and increase input buffer size 2018-09-06T02:45:55+00:00 Santhosh Behara santhoshbehara@codeaurora.org 2018-05-15T13:09:50+00:00 330d8527207b063e7b865896b846470e55e82c84 Protect buffer access for below scenarios: *Increase the scope of buf_lock in free_buffer to avoid access of freed buffer for both input and output buffers. Also, add check before output buffer access. *Disallow allocate buffer mode after client has called use buffer. Allocate additional 512 bytes of memory for input buffers on top of allocation size as per hardware requirement. Bug: 64340487 Test: ran POC on bullhead/nyc-dev Change-Id: Iabbb2d7e00ff97bfc47b04386feec66976fca99a (cherry picked from commit 83aeab22d1bdc493b3ea2f50616bb8fd460d6c74) 
Protect buffer access for below scenarios:

*Increase the scope of buf_lock in free_buffer to avoid access
 of freed buffer for both input and output buffers. Also, add check
 before output buffer access.

*Disallow allocate buffer mode after client has called use buffer.

Allocate additional 512 bytes of memory for input buffers on top of
allocation size as per hardware requirement.

Bug: 64340487
Test: ran POC on bullhead/nyc-dev
Change-Id: Iabbb2d7e00ff97bfc47b04386feec66976fca99a
(cherry picked from commit 83aeab22d1bdc493b3ea2f50616bb8fd460d6c74)
mm-video-v4l2: vdec: Disallow changing buffer modes/counts on allocated ports 2018-04-17T09:14:21+00:00 Praveen Chavan pchavan@codeaurora.org 2016-08-17T19:19:29+00:00 29e06f3f904645c899a3a2601014fd913ba22e94 Changing Count, size, usage-mode (metadata/bytebuffer/native-handle) or allocation-mode (allocateBuffer/UseBuffer) of buffers should only be allowed when the port hasn't been allocated yet. Since buffer-modes determine the payload-size in case of meta-buffer-mode, and also determine the memory-base to derive buffer indices from buffer- headers, letting the client change count/size/mode on a pre-allocated port will cause inconsistencies in the size of memory allocated for headers and lead to index overflows. Fix the range checks for the derived buffer-indices to avoid out-of-bounds writes. Also, ensure buffer-mode settings (metadata-mode, native-handle-mode) are intended for the right ports. Bug: 29617572 : Heap Overflow/LPE in MediaServer (libOmxVdec problem #8) Bug: 29982686 : Memory Write/LPE in MediaServer (libOmxVdec problem #10) Change-Id: I619636a48779580c247bffb3752c3e4025b46542 
Changing Count, size, usage-mode (metadata/bytebuffer/native-handle) or
allocation-mode (allocateBuffer/UseBuffer) of buffers should only be
allowed when the port hasn't been allocated yet.
Since buffer-modes determine the payload-size in case of meta-buffer-mode,
and also determine the memory-base to derive buffer indices from buffer-
headers, letting the client change count/size/mode on a pre-allocated port
will cause inconsistencies in the size of memory allocated for headers and
lead to index overflows.

Fix the range checks for the derived buffer-indices to avoid out-of-bounds
writes.

Also, ensure buffer-mode settings (metadata-mode, native-handle-mode)
are intended for the right ports.

Bug: 29617572 : Heap Overflow/LPE in MediaServer (libOmxVdec problem #8)
Bug: 29982686 :  Memory Write/LPE in MediaServer (libOmxVdec problem #10)

Change-Id: I619636a48779580c247bffb3752c3e4025b46542
mm-video-v4l2: venc: Disallow changing buffer count/size on allocated port 2018-04-17T09:14:21+00:00 Praveen Chavan pchavan@codeaurora.org 2016-08-17T08:47:57+00:00 a42a7cda3c3910f20a5f125eecb8ac8f35739d73 Count and size negotiation of port-buffers should only be allowed when the port hasn't been allocated yet. Letting the client change count/size on a pre-allocated port will cause inconsistencies in the count/size of memory allocated for headers and internal lists. Fix resetting of buffer-base (m_inp_mem_ptr) when all buffers are freed, for all the buffer-modes. Bug: 29421682 Change-Id: I9abead969bc3c908e6db9beb6316fd572dac25f7 Fixes: Local Privilege Escalation in MediaServer (libOmxVenc problem #10) 
Count and size negotiation of port-buffers should only be allowed when
the port hasn't been allocated yet.
Letting the client change count/size on a pre-allocated port will
cause inconsistencies in the count/size of memory allocated for
headers and internal lists.
Fix resetting of buffer-base (m_inp_mem_ptr) when all buffers are
freed, for all the buffer-modes.

Bug: 29421682
Change-Id: I9abead969bc3c908e6db9beb6316fd572dac25f7
Fixes: Local Privilege Escalation in MediaServer (libOmxVenc problem #10)
mm-video-v4l2: vidc: Add support for OMX_IndexConfigAndroidIntraRefresh 2018-04-16T20:29:56+00:00 Arun Menon avmenon@codeaurora.org 2016-03-30T00:41:06+00:00 bda60bfcaa72bbd632224e5c0d3ee1f4f87cdea2 OMX Component will support OMX_IndexConfigAndroidIntraRefresh only in loaded state. Bug: 27108817 Change-Id: I213fed57842b94c333843871d6c555e1fb8784e5 
OMX Component will support OMX_IndexConfigAndroidIntraRefresh only
in loaded state.

Bug: 27108817
Change-Id: I213fed57842b94c333843871d6c555e1fb8784e5
mm-video-v4l2: vdec: Add range check before native_buffer usage 2018-04-16T20:29:56+00:00 Praveen Chavan pchavan@codeaurora.org 2016-03-31T01:34:17+00:00 f24ca020472b9cdceecefbecf0cc4fd2b101caeb Restore missing buffer-index calculation, without which, native-handles were not being saved properly and NULL handles got sent out to gralloc::setMetadata A bad buffer index can cause the OMX component to make an out of bound read/write access on the native_buffer array and cause a crash. Add range check to fix the issue. Bug: 25976027 Change-Id: I684a501a1a71898b5c1c80566125459a5972c959 
Restore missing buffer-index calculation, without which,
native-handles were not being saved properly and NULL handles
got sent out to gralloc::setMetadata

A bad buffer index can cause the OMX component to make an out of
bound read/write access on the native_buffer array and cause a
crash. Add range check to fix the issue.

Bug: 25976027

Change-Id: I684a501a1a71898b5c1c80566125459a5972c959
mm-video-v4l2: vidc: fix matching of extension strings 2018-04-16T20:29:56+00:00 Praveen Chavan pchavan@codeaurora.org 2016-03-16T23:58:11+00:00 a7047b28a02a11627b38f843c51566426f92c0d9 Using strncmp with the strlen of source string can result in false positives when it is a substring of the passed string. Eg: strncmp("OMX.extn.x", "OMX.extn.xyz", strlen(OMX.extn.x)) will result in a match. Use strcmp instead. Bug: 27344524 Change-Id: I68839f2bea8b97a31f43885538e9dce51aa8c1b4 
Using strncmp with the strlen of source string can result in
false positives when it is a substring of the passed string.
Eg: strncmp("OMX.extn.x", "OMX.extn.xyz", strlen(OMX.extn.x))
    will result in a match.
Use strcmp instead.

Bug: 27344524

Change-Id: I68839f2bea8b97a31f43885538e9dce51aa8c1b4
mm-video-v4l2: venc: Advertise constrained profiles for AVC encoder 2018-04-16T20:29:56+00:00 Lajos Molnar lajos@google.com 2017-09-07T01:19:48+00:00 eb2d7c8865f3cd82647be8c6457abca9f205cd8a Enumerate and advertise constrained profiles for AVC encoder. Inorder to have backward compatability advertise exisisting as well as newly added constants. Keep legacy constants for getters as Android media framework does not use them. Bug: 65043406 Change-Id: I6fe88a505005731c4891aa1a7c1f627c65f01861 
Enumerate and advertise constrained profiles for AVC encoder.
Inorder to have backward compatability advertise exisisting as well
as newly added constants.

Keep legacy constants for getters as Android media framework does not
use them.

Bug: 65043406

Change-Id: I6fe88a505005731c4891aa1a7c1f627c65f01861
fix circular dependency libnativewindow <-> libui 2018-04-16T20:28:52+00:00 Mathias Agopian mathias@google.com 2017-05-02T00:29:52+00:00 f2501151cd1348550d79264d984c743461258795 Bug: 37647680, 37648355 Test: compile, manual Change-Id: I7214dcc1e57f2a0466fc28173dd5de5d54c9a721 
Bug: 37647680, 37648355
Test: compile, manual
Change-Id: I7214dcc1e57f2a0466fc28173dd5de5d54c9a721
libc2dcolorconvert: Fix address in unmap call 2018-04-15T11:36:10+00:00 Santhosh Behara santhoshbehara@codeaurora.org 2017-08-16T10:26:01+00:00 50725790e560dd4023ef19f3d85a1475b957c228 Unmap was being called with a modified address resulting in unmap failure. Call unmap with the exact address which we get from map call. CRs-Fixed: 2056867 Bug: 62385648 Author: abdullahanam@codeaurora.org Change-Id: I2b7eaec8c8224188f910501b5cb86402a722dfaf 
Unmap was being called with a modified address resulting in unmap
failure. Call unmap with the exact address which we get from map
call.

CRs-Fixed: 2056867
Bug: 62385648

Author: abdullahanam@codeaurora.org

Change-Id: I2b7eaec8c8224188f910501b5cb86402a722dfaf
hal: Added LOCAL_VENDOR_MODULE to set output path of the binaries 2018-04-15T10:38:54+00:00 Suman Mukherjee sumam@codeaurora.org 2017-07-06T10:31:18+00:00 ddf4a35e5d71cba8c56ba896e21debfd083530bc Replaced LOCAL_PROPRIETARY_MODULE with LOCAL_VENDOR_MODULE to set the output vendor path for hal binaries and libraries Change-Id: Ib04d80eabc0e17f3863e956db5f2378e426c0687 
Replaced LOCAL_PROPRIETARY_MODULE with LOCAL_VENDOR_MODULE to set the
output vendor path for hal binaries and libraries

Change-Id: Ib04d80eabc0e17f3863e956db5f2378e426c0687