DO NOT MERGE mm-video-v4l2: venc: Avoid processing ETBs/FTBs in invalid states

(per the spec) ETB/FTB should not be handled in states other than Executing, Paused and Idle. This avoids accessing invalid buffers. Also add a lock to protect the private-buffers from being deleted while accessing from another thread. Bug: 27903498 Security Vulnerability - Heap Use-After-Free and Possible LPE in MediaServer (libOmxVenc problem #3) CRs-Fixed: 1010088 Change-Id: I898b42034c0add621d4f9d8e02ca0ed4403d4fd3 (cherry picked from commit 2c50fb8a3fc4bc813da87e0d92c9b5cfe26a9fbb)
author: Praveen Chavan <pchavan@codeaurora.org> 2016-04-25 11:51:05 -0700
committer: Michael Bestas <mikeioannina@cyanogenmod.org> 2016-07-25 23:15:21 +0300
commit: 219a1e96ccac7170d1dc1095e34f143b0a44e7b4 (patch)
tree: 53ceaf4e18e0f0895341c3d6da4b49d90aad5fce
parent: 139f775fcc6af6797b2b0c195dcc5bad7a50e0d2 (diff)
download: android_hardware_qcom_media-219a1e96ccac7170d1dc1095e34f143b0a44e7b4.tar.gz
android_hardware_qcom_media-219a1e96ccac7170d1dc1095e34f143b0a44e7b4.tar.bz2
android_hardware_qcom_media-219a1e96ccac7170d1dc1095e34f143b0a44e7b4.zip
1 files changed, 21 insertions, 9 deletions
diff --git a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
index 52a42a38..10710820 100644
--- a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
+++ b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
@@ -2410,9 +2410,12 @@ OMX_ERRORTYPE omx_video::free_input_buffer(OMX_BUFFERHEADERTYPE *bufferHdr)
     }
 
     if (index < m_sInPortDef.nBufferCountActual && m_pInput_pmem) {
+        auto_lock l(m_lock);
+
         if (m_pInput_pmem[index].fd > 0 && input_use_buffer == false) {
             DEBUG_PRINT_LOW("\n FreeBuffer:: i/p AllocateBuffer case");
             munmap (m_pInput_pmem[index].buffer,m_pInput_pmem[index].size);
+            m_pInput_pmem[index].buffer = NULL;
             close (m_pInput_pmem[index].fd);
 #ifdef USE_ION
             free_ion_memory(&m_pInput_ion[index]);
@@ -2425,6 +2428,7 @@ OMX_ERRORTYPE omx_video::free_input_buffer(OMX_BUFFERHEADERTYPE *bufferHdr)
                 DEBUG_PRINT_ERROR("\nERROR: dev_free_buf() Failed for i/p buf");
             }
             munmap (m_pInput_pmem[index].buffer,m_pInput_pmem[index].size);
+            m_pInput_pmem[index].buffer = NULL;
             close (m_pInput_pmem[index].fd);
 #ifdef USE_ION
             free_ion_memory(&m_pInput_ion[index]);
@@ -3088,9 +3092,11 @@ OMX_ERRORTYPE  omx_video::empty_this_buffer(OMX_IN OMX_HANDLETYPE         hComp,
     OMX_ERRORTYPE ret1 = OMX_ErrorNone;
     unsigned int nBufferIndex ;
 
-    DEBUG_PRINT_LOW("\n ETB: buffer = %p, buffer->pBuffer[%p]\n", buffer, buffer->pBuffer);
-    if (m_state == OMX_StateInvalid) {
-        DEBUG_PRINT_ERROR("ERROR: Empty this buffer in Invalid State\n");
+    DEBUG_PRINT_LOW("ETB: buffer = %p, buffer->pBuffer[%p]", buffer, buffer->pBuffer);
+    if (m_state != OMX_StateExecuting &&
+            m_state != OMX_StatePause &&
+            m_state != OMX_StateIdle) {
+        DEBUG_PRINT_ERROR("ERROR: Empty this buffer in Invalid State");
         return OMX_ErrorInvalidState;
     }
 
@@ -3259,10 +3265,14 @@ OMX_ERRORTYPE  omx_video::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE
     if (input_use_buffer && !m_use_input_pmem)
 #endif
     {
-        DEBUG_PRINT_LOW("\n Heap UseBuffer case, so memcpy the data");
+        DEBUG_PRINT_LOW("Heap UseBuffer case, so memcpy the data");
+
+        auto_lock l(m_lock);
         pmem_data_buf = (OMX_U8 *)m_pInput_pmem[nBufIndex].buffer;
-        memcpy (pmem_data_buf, (buffer->pBuffer + buffer->nOffset),
-                buffer->nFilledLen);
+        if (pmem_data_buf) {
+            memcpy (pmem_data_buf, (buffer->pBuffer + buffer->nOffset),
+                    buffer->nFilledLen);
+        }
         DEBUG_PRINT_LOW("memcpy() done in ETBProxy for i/p Heap UseBuf");
     } else if (mUseProxyColorFormat) {
         // Gralloc-source buffers with color-conversion
@@ -3317,9 +3327,11 @@ OMX_ERRORTYPE  omx_video::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE
 OMX_ERRORTYPE  omx_video::fill_this_buffer(OMX_IN OMX_HANDLETYPE  hComp,
         OMX_IN OMX_BUFFERHEADERTYPE* buffer)
 {
-    DEBUG_PRINT_LOW("\n FTB: buffer->pBuffer[%p]\n", buffer->pBuffer);
-    if (m_state == OMX_StateInvalid) {
-        DEBUG_PRINT_ERROR("ERROR: FTB in Invalid State\n");
+    DEBUG_PRINT_LOW("FTB: buffer->pBuffer[%p]", buffer->pBuffer);
+    if (m_state != OMX_StateExecuting &&
+            m_state != OMX_StatePause &&
+            m_state != OMX_StateIdle) {
+        DEBUG_PRINT_ERROR("ERROR: FTB in Invalid State");
         return OMX_ErrorInvalidState;
     }
author	Praveen Chavan <pchavan@codeaurora.org>	2016-04-25 11:51:05 -0700
committer	Michael Bestas <mikeioannina@cyanogenmod.org>	2016-07-25 23:15:21 +0300
commit	219a1e96ccac7170d1dc1095e34f143b0a44e7b4 (patch)
tree	53ceaf4e18e0f0895341c3d6da4b49d90aad5fce
parent	139f775fcc6af6797b2b0c195dcc5bad7a50e0d2 (diff)
download	android_hardware_qcom_media-219a1e96ccac7170d1dc1095e34f143b0a44e7b4.tar.gz android_hardware_qcom_media-219a1e96ccac7170d1dc1095e34f143b0a44e7b4.tar.bz2 android_hardware_qcom_media-219a1e96ccac7170d1dc1095e34f143b0a44e7b4.zip