diff options
| author | Praveen Chavan <pchavan@codeaurora.org> | 2016-03-22 17:34:57 -0700 |
|---|---|---|
| committer | Praveen Chavan <pchavan@codeaurora.org> | 2016-03-22 17:34:57 -0700 |
| commit | cdd8a4b969e5540b42f76597c5148053df937cb5 (patch) | |
| tree | d8e70684f0e1476d30f44b689d7c0a25fbac4110 | |
| parent | c59fcaac1498d4c2596d2eb82eb4557e424e4d5d (diff) | |
| download | android_hardware_qcom_media-cdd8a4b969e5540b42f76597c5148053df937cb5.tar.gz android_hardware_qcom_media-cdd8a4b969e5540b42f76597c5148053df937cb5.tar.bz2 android_hardware_qcom_media-cdd8a4b969e5540b42f76597c5148053df937cb5.zip | |
mm-video-v4l2: vdec: add safety checks for freeing buffers
Allow only up to 64 buffers on input/output port (since the
allocation bitmap is only 64-wide).
Do not allow changing the actual buffer count while still
holding allocation (Client can technically negotiate buffer
count on a free/disabled port)
Add safety checks to free only as many buffers were allocated.
Fixes: Security Vulnerability - Heap Overflow and Possible
Local Privilege Escalation in MediaServer (libOmxVdec problem #3)
Bug: 27532282
Change-Id: I06dd680d43feaef3efdc87311e8a6703e234b523
| -rw-r--r-- | mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp | 62 |
1 files changed, 52 insertions, 10 deletions
diff --git a/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp b/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp index d32d4e70..32dac93e 100644 --- a/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp +++ b/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp @@ -3975,10 +3975,22 @@ OMX_ERRORTYPE omx_vdec::set_parameter(OMX_IN OMX_HANDLETYPE hComp, break; } - if (!client_buffers.get_buffer_req(buffer_size)) { + if (portDefn->nBufferCountActual > MAX_NUM_INPUT_OUTPUT_BUFFERS) { + DEBUG_PRINT_ERROR("Requested o/p buf count (%u) exceeds limit (%u)", + portDefn->nBufferCountActual, MAX_NUM_INPUT_OUTPUT_BUFFERS); + eRet = OMX_ErrorBadParameter; + } else if (!client_buffers.get_buffer_req(buffer_size)) { DEBUG_PRINT_ERROR("Error in getting buffer requirements"); eRet = OMX_ErrorBadParameter; } else if (!port_format_changed) { + + // Buffer count can change only when port is disabled + if (!release_output_done()) { + DEBUG_PRINT_ERROR("Cannot change o/p buffer count since all buffers are not freed yet !"); + eRet = OMX_ErrorInvalidState; + break; + } + if ( portDefn->nBufferCountActual >= drv_ctx.op_buf.mincount && portDefn->nBufferSize >= drv_ctx.op_buf.buffer_size ) { drv_ctx.op_buf.actualcount = portDefn->nBufferCountActual; @@ -4087,6 +4099,19 @@ OMX_ERRORTYPE omx_vdec::set_parameter(OMX_IN OMX_HANDLETYPE hComp, eRet = OMX_ErrorBadParameter; break; } + if (portDefn->nBufferCountActual > MAX_NUM_INPUT_OUTPUT_BUFFERS) { + DEBUG_PRINT_ERROR("Requested i/p buf count (%u) exceeds limit (%u)", + portDefn->nBufferCountActual, MAX_NUM_INPUT_OUTPUT_BUFFERS); + eRet = OMX_ErrorBadParameter; + break; + } + // Buffer count can change only when port is disabled + if (!release_input_done()) { + DEBUG_PRINT_ERROR("Cannot change i/p buffer count since all buffers are not freed yet !"); + eRet = OMX_ErrorInvalidState; + break; + } + if (portDefn->nBufferCountActual >= drv_ctx.ip_buf.mincount || portDefn->nBufferSize != drv_ctx.ip_buf.buffer_size) { port_format_changed = true; @@ -6687,7 +6712,8 @@ OMX_ERRORTYPE omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE hComp, nPortIndex = buffer - m_inp_heap_ptr; DEBUG_PRINT_LOW("free_buffer on i/p port - Port idx %d", nPortIndex); - if (nPortIndex < drv_ctx.ip_buf.actualcount) { + if (nPortIndex < drv_ctx.ip_buf.actualcount && + BITMASK_PRESENT(&m_inp_bm_count, nPortIndex)) { // Clear the bit associated with it. BITMASK_CLEAR(&m_inp_bm_count,nPortIndex); BITMASK_CLEAR(&m_heap_inp_bm_count,nPortIndex); @@ -6729,7 +6755,8 @@ OMX_ERRORTYPE omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE hComp, } else if (port == OMX_CORE_OUTPUT_PORT_INDEX) { // check if the buffer is valid nPortIndex = buffer - client_buffers.get_il_buf_hdr(); - if (nPortIndex < drv_ctx.op_buf.actualcount) { + if (nPortIndex < drv_ctx.op_buf.actualcount && + BITMASK_PRESENT(&m_out_bm_count, nPortIndex)) { DEBUG_PRINT_LOW("free_buffer on o/p port - Port idx %d", nPortIndex); // Clear the bit associated with it. BITMASK_CLEAR(&m_out_bm_count,nPortIndex); @@ -7368,7 +7395,14 @@ OMX_ERRORTYPE omx_vdec::component_deinit(OMX_IN OMX_HANDLETYPE hComp) if (m_out_mem_ptr) { DEBUG_PRINT_LOW("Freeing the Output Memory"); for (i = 0; i < drv_ctx.op_buf.actualcount; i++ ) { - free_output_buffer (&m_out_mem_ptr[i]); + if (BITMASK_PRESENT(&m_out_bm_count, i)) { + BITMASK_CLEAR(&m_out_bm_count, i); + client_buffers.free_output_buffer (&m_out_mem_ptr[i]); + } + + if (release_output_done()) { + break; + } } #ifdef _ANDROID_ICS_ memset(&native_buffer, 0, (sizeof(nativebuffer) * MAX_NUM_INPUT_OUTPUT_BUFFERS)); @@ -7379,11 +7413,19 @@ OMX_ERRORTYPE omx_vdec::component_deinit(OMX_IN OMX_HANDLETYPE hComp) if (m_inp_mem_ptr || m_inp_heap_ptr) { DEBUG_PRINT_LOW("Freeing the Input Memory"); for (i = 0; i<drv_ctx.ip_buf.actualcount; i++ ) { - if (m_inp_mem_ptr) - free_input_buffer (i,&m_inp_mem_ptr[i]); - else - free_input_buffer (i,NULL); - } + + if (BITMASK_PRESENT(&m_inp_bm_count, i)) { + BITMASK_CLEAR(&m_inp_bm_count, i); + if (m_inp_mem_ptr) + free_input_buffer (i,&m_inp_mem_ptr[i]); + else + free_input_buffer (i,NULL); + } + + if (release_input_done()) { + break; + } + } } free_input_buffer_header(); free_output_buffer_header(); @@ -7801,7 +7843,7 @@ bool omx_vdec::release_output_done(void) bool bRet = false; unsigned i=0,j=0; - DEBUG_PRINT_LOW("Value of m_out_mem_ptr %p",m_inp_mem_ptr); + DEBUG_PRINT_LOW("Value of m_out_mem_ptr %p", m_out_mem_ptr); if (m_out_mem_ptr) { for (; j < drv_ctx.op_buf.actualcount ; j++) { if (BITMASK_PRESENT(&m_out_bm_count,j)) { |