diff options
| author | Praveen Chavan <pchavan@codeaurora.org> | 2016-06-15 17:51:39 -0700 |
|---|---|---|
| committer | Wonsik Kim <wonsik@google.com> | 2016-06-22 08:06:07 +0900 |
| commit | d99a08f99689df977dfc585a436ada5acf4f2a25 (patch) | |
| tree | de996bd04724ab884018ad63d369d9a8d255b4d2 | |
| parent | a8fcf27d158120163227dfb16d758deed294bbd2 (diff) | |
| download | android_hardware_qcom_media-d99a08f99689df977dfc585a436ada5acf4f2a25.tar.gz android_hardware_qcom_media-d99a08f99689df977dfc585a436ada5acf4f2a25.tar.bz2 android_hardware_qcom_media-d99a08f99689df977dfc585a436ada5acf4f2a25.zip | |
mm-video-v4l2: venc: add checks before accessing heap pointers
Heap pointers do not point to user virtual addresses in case
of secure session.
Set them to NULL and add checks to avoid accesing them
Bug: 28815329
Bug: 28920116
Change-Id: I94fd5808e753b58654d65e175d3857ef46ffba26
6 files changed, 58 insertions, 16 deletions
diff --git a/msm8974/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp b/msm8974/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp index 3d77f30f..cb24ec0c 100644 --- a/msm8974/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp +++ b/msm8974/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp @@ -80,7 +80,6 @@ ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #define SZ_4K 0x1000 #define SZ_1M 0x100000 -#define SECURE_BUFPTR 0xDEADBEEF typedef struct OMXComponentCapabilityFlagsType { ////////////////// OMX COMPONENT CAPABILITY RELATED MEMBERS @@ -2260,7 +2259,7 @@ OMX_ERRORTYPE omx_video::use_input_buffer( m_pInput_pmem[i].size = m_sInPortDef.nBufferSize; m_pInput_pmem[i].offset = 0; - m_pInput_pmem[i].buffer = (OMX_U8 *)SECURE_BUFPTR; + m_pInput_pmem[i].buffer = NULL; if(!secure_session) { m_pInput_pmem[i].buffer = (unsigned char *)mmap( NULL,m_pInput_pmem[i].size,PROT_READ|PROT_WRITE, @@ -2268,6 +2267,7 @@ OMX_ERRORTYPE omx_video::use_input_buffer( if (m_pInput_pmem[i].buffer == MAP_FAILED) { DEBUG_PRINT_ERROR("ERROR: mmap() Failed"); + m_pInput_pmem[i].buffer = NULL; close(m_pInput_pmem[i].fd); #ifdef USE_ION free_ion_memory(&m_pInput_ion[i]); @@ -2451,7 +2451,7 @@ OMX_ERRORTYPE omx_video::use_output_buffer( m_pOutput_pmem[i].size = m_sOutPortDef.nBufferSize; m_pOutput_pmem[i].offset = 0; - m_pOutput_pmem[i].buffer = (OMX_U8 *)SECURE_BUFPTR; + m_pOutput_pmem[i].buffer = NULL; if(!secure_session) { #ifdef _MSM8974_ m_pOutput_pmem[i].buffer = (unsigned char *)mmap(NULL, @@ -2464,6 +2464,7 @@ OMX_ERRORTYPE omx_video::use_output_buffer( #endif if (m_pOutput_pmem[i].buffer == MAP_FAILED) { DEBUG_PRINT_ERROR("ERROR: mmap() Failed"); + m_pOutput_pmem[i].buffer = NULL; close(m_pOutput_pmem[i].fd); #ifdef USE_ION free_ion_memory(&m_pOutput_ion[i]); @@ -2862,13 +2863,14 @@ OMX_ERRORTYPE omx_video::allocate_input_buffer( m_pInput_pmem[i].size = m_sInPortDef.nBufferSize; m_pInput_pmem[i].offset = 0; - m_pInput_pmem[i].buffer = (OMX_U8 *)SECURE_BUFPTR; + m_pInput_pmem[i].buffer = NULL; if(!secure_session) { m_pInput_pmem[i].buffer = (unsigned char *)mmap(NULL, m_pInput_pmem[i].size,PROT_READ|PROT_WRITE, MAP_SHARED,m_pInput_pmem[i].fd,0); if (m_pInput_pmem[i].buffer == MAP_FAILED) { DEBUG_PRINT_ERROR("ERROR: mmap FAILED= %d", errno); + m_pInput_pmem[i].buffer = NULL; close(m_pInput_pmem[i].fd); #ifdef USE_ION free_ion_memory(&m_pInput_ion[i]); @@ -2879,6 +2881,10 @@ OMX_ERRORTYPE omx_video::allocate_input_buffer( //This should only be used for passing reference to source type and //secure handle fd struct native_handle_t* m_pInput_pmem[i].buffer = malloc(sizeof(OMX_U32) + sizeof(native_handle_t*)); + if (m_pInput_pmem[i].buffer == NULL) { + DEBUG_PRINT_ERROR("%s: failed to allocate native-handle", __func__); + return OMX_ErrorInsufficientResources; + } } (*bufferHdr)->pBuffer = (OMX_U8 *)m_pInput_pmem[i].buffer; @@ -3023,7 +3029,7 @@ OMX_ERRORTYPE omx_video::allocate_output_buffer( m_pOutput_pmem[i].size = m_sOutPortDef.nBufferSize; m_pOutput_pmem[i].offset = 0; - m_pOutput_pmem[i].buffer = (OMX_U8 *)SECURE_BUFPTR; + m_pOutput_pmem[i].buffer = NULL; if(!secure_session) { #ifdef _MSM8974_ m_pOutput_pmem[i].buffer = (unsigned char *)mmap(NULL, @@ -3036,6 +3042,7 @@ OMX_ERRORTYPE omx_video::allocate_output_buffer( #endif if (m_pOutput_pmem[i].buffer == MAP_FAILED) { DEBUG_PRINT_ERROR("ERROR: MMAP_FAILED in o/p alloc buffer"); + m_pOutput_pmem[i].buffer = NULL; close (m_pOutput_pmem[i].fd); #ifdef USE_ION free_ion_memory(&m_pOutput_ion[i]); @@ -3047,6 +3054,10 @@ OMX_ERRORTYPE omx_video::allocate_output_buffer( //This should only be used for passing reference to source type and //secure handle fd struct native_handle_t* m_pOutput_pmem[i].buffer = malloc(sizeof(OMX_U32) + sizeof(native_handle_t*)); + if (m_pOutput_pmem[i].buffer == NULL) { + DEBUG_PRINT_ERROR("%s: Failed to allocate native-handle", __func__); + return OMX_ErrorInsufficientResources; + } native_handle_t *handle = native_handle_create(1, 0); handle->data[0] = m_pOutput_pmem[i].fd; char *data = (char*) m_pOutput_pmem[i].buffer; @@ -3512,9 +3523,9 @@ OMX_ERRORTYPE omx_video::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE hComp, post_event ((unsigned long)buffer,0,OMX_COMPONENT_GENERATE_EBD); return OMX_ErrorBadParameter; } - } else if (input_use_buffer && !m_use_input_pmem) + } else if (input_use_buffer && !m_use_input_pmem && m_pInput_pmem[nBufIndex].buffer) #else - if (input_use_buffer && !m_use_input_pmem) + if (input_use_buffer && !m_use_input_pmem && m_pInput_pmem[nBufIndex].buffer) #endif { DEBUG_PRINT_LOW("Heap UseBuffer case, so memcpy the data"); diff --git a/msm8974/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp b/msm8974/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp index effa433c..33a147bf 100644 --- a/msm8974/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp +++ b/msm8974/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp @@ -2222,7 +2222,7 @@ int omx_venc::async_message_process (void *context, void* message) omxhdr->nFlags = m_sVenc_msg->buf.flags; /*Use buffer case*/ - if (omx->output_use_buffer && !omx->m_use_output_pmem) { + if (omx->output_use_buffer && !omx->m_use_output_pmem && !omx->is_secure_session()) { DEBUG_PRINT_LOW("memcpy() for o/p Heap UseBuffer"); memcpy(omxhdr->pBuffer, (m_sVenc_msg->buf.ptrbuffer), diff --git a/msm8974/mm-video-v4l2/vidc/venc/src/video_encoder_device_v4l2.cpp b/msm8974/mm-video-v4l2/vidc/venc/src/video_encoder_device_v4l2.cpp index 6319eab4..b3b37d1d 100644 --- a/msm8974/mm-video-v4l2/vidc/venc/src/video_encoder_device_v4l2.cpp +++ b/msm8974/mm-video-v4l2/vidc/venc/src/video_encoder_device_v4l2.cpp @@ -681,6 +681,11 @@ bool venc_dev::venc_get_output_log_flag() int venc_dev::venc_output_log_buffers(const char *buffer_addr, int buffer_len) { + if (venc_handle->is_secure_session()) { + DEBUG_PRINT_ERROR("logging secure output buffers is not allowed!"); + return -1; + } + if (!m_debug.outfile) { int size = 0; if(m_sVenc_cfg.codectype == V4L2_PIX_FMT_MPEG4) { @@ -764,6 +769,11 @@ int venc_dev::venc_extradata_log_buffers(char *buffer_addr) } int venc_dev::venc_input_log_buffers(OMX_BUFFERHEADERTYPE *pbuffer, int fd, int plane_offset) { + if (venc_handle->is_secure_session()) { + DEBUG_PRINT_ERROR("logging secure input buffers is not allowed!"); + return -1; + } + if (!m_debug.infile) { int size = snprintf(m_debug.infile_name, PROPERTY_VALUE_MAX, "%s/input_enc_%lu_%lu_%p.yuv", m_debug.log_loc, m_sVenc_cfg.input_width, m_sVenc_cfg.input_height, this); diff --git a/msm8996/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp b/msm8996/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp index 904c7f7c..1d48cd14 100644 --- a/msm8996/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp +++ b/msm8996/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp @@ -80,7 +80,6 @@ ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #define SZ_4K 0x1000 #define SZ_1M 0x100000 -#define SECURE_BUFPTR 0xDEADBEEF #ifndef ION_FLAG_CP_BITSTREAM #define ION_FLAG_CP_BITSTREAM 0 @@ -2506,7 +2505,7 @@ OMX_ERRORTYPE omx_video::use_input_buffer( m_pInput_pmem[i].size = m_sInPortDef.nBufferSize; m_pInput_pmem[i].offset = 0; - m_pInput_pmem[i].buffer = (OMX_U8 *)SECURE_BUFPTR; + m_pInput_pmem[i].buffer = NULL; if(!secure_session) { m_pInput_pmem[i].buffer = (unsigned char *)mmap( NULL,m_pInput_pmem[i].size,PROT_READ|PROT_WRITE, @@ -2514,6 +2513,7 @@ OMX_ERRORTYPE omx_video::use_input_buffer( if (m_pInput_pmem[i].buffer == MAP_FAILED) { DEBUG_PRINT_ERROR("ERROR: mmap() Failed"); + m_pInput_pmem[i].buffer = NULL; close(m_pInput_pmem[i].fd); #ifdef USE_ION free_ion_memory(&m_pInput_ion[i]); @@ -2698,7 +2698,7 @@ OMX_ERRORTYPE omx_video::use_output_buffer( m_pOutput_pmem[i].size = m_sOutPortDef.nBufferSize; m_pOutput_pmem[i].offset = 0; - m_pOutput_pmem[i].buffer = (OMX_U8 *)SECURE_BUFPTR; + m_pOutput_pmem[i].buffer = NULL; if(!secure_session) { #ifdef _MSM8974_ m_pOutput_pmem[i].buffer = (unsigned char *)mmap(NULL, @@ -2711,6 +2711,7 @@ OMX_ERRORTYPE omx_video::use_output_buffer( #endif if (m_pOutput_pmem[i].buffer == MAP_FAILED) { DEBUG_PRINT_ERROR("ERROR: mmap() Failed"); + m_pOutput_pmem[i].buffer = NULL; close(m_pOutput_pmem[i].fd); #ifdef USE_ION free_ion_memory(&m_pOutput_ion[i]); @@ -3110,13 +3111,14 @@ OMX_ERRORTYPE omx_video::allocate_input_buffer( m_pInput_pmem[i].size = m_sInPortDef.nBufferSize; m_pInput_pmem[i].offset = 0; - m_pInput_pmem[i].buffer = (OMX_U8 *)SECURE_BUFPTR; + m_pInput_pmem[i].buffer = NULL; if(!secure_session) { m_pInput_pmem[i].buffer = (unsigned char *)mmap(NULL, m_pInput_pmem[i].size,PROT_READ|PROT_WRITE, MAP_SHARED,m_pInput_pmem[i].fd,0); if (m_pInput_pmem[i].buffer == MAP_FAILED) { DEBUG_PRINT_ERROR("ERROR: mmap FAILED= %d", errno); + m_pInput_pmem[i].buffer = NULL; close(m_pInput_pmem[i].fd); #ifdef USE_ION free_ion_memory(&m_pInput_ion[i]); @@ -3127,6 +3129,10 @@ OMX_ERRORTYPE omx_video::allocate_input_buffer( //This should only be used for passing reference to source type and //secure handle fd struct native_handle_t* m_pInput_pmem[i].buffer = malloc(sizeof(OMX_U32) + sizeof(native_handle_t*)); + if (m_pInput_pmem[i].buffer == NULL) { + DEBUG_PRINT_ERROR("%s: failed to allocate native-handle", __func__); + return OMX_ErrorInsufficientResources; + } } (*bufferHdr)->pBuffer = (OMX_U8 *)m_pInput_pmem[i].buffer; @@ -3272,7 +3278,7 @@ OMX_ERRORTYPE omx_video::allocate_output_buffer( m_pOutput_pmem[i].size = m_sOutPortDef.nBufferSize; m_pOutput_pmem[i].offset = 0; - m_pOutput_pmem[i].buffer = (OMX_U8 *)SECURE_BUFPTR; + m_pOutput_pmem[i].buffer = NULL; if(!secure_session) { #ifdef _MSM8974_ m_pOutput_pmem[i].buffer = (unsigned char *)mmap(NULL, @@ -3285,6 +3291,7 @@ OMX_ERRORTYPE omx_video::allocate_output_buffer( #endif if (m_pOutput_pmem[i].buffer == MAP_FAILED) { DEBUG_PRINT_ERROR("ERROR: MMAP_FAILED in o/p alloc buffer"); + m_pOutput_pmem[i].buffer = NULL; close (m_pOutput_pmem[i].fd); #ifdef USE_ION free_ion_memory(&m_pOutput_ion[i]); @@ -3296,6 +3303,10 @@ OMX_ERRORTYPE omx_video::allocate_output_buffer( //This should only be used for passing reference to source type and //secure handle fd struct native_handle_t* m_pOutput_pmem[i].buffer = malloc(sizeof(OMX_U32) + sizeof(native_handle_t*)); + if (m_pOutput_pmem[i].buffer == NULL) { + DEBUG_PRINT_ERROR("%s: failed to allocate native-handle", __func__); + return OMX_ErrorInsufficientResources; + } native_handle_t *handle = native_handle_create(1, 0); handle->data[0] = m_pOutput_pmem[i].fd; char *data = (char*) m_pOutput_pmem[i].buffer; @@ -3756,9 +3767,9 @@ OMX_ERRORTYPE omx_video::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE hComp, post_event ((unsigned long)buffer,0,OMX_COMPONENT_GENERATE_EBD); return OMX_ErrorBadParameter; } - } else if (input_use_buffer && !m_use_input_pmem) + } else if (input_use_buffer && !m_use_input_pmem && m_pInput_pmem[nBufIndex].buffer) #else - if (input_use_buffer && !m_use_input_pmem) + if (input_use_buffer && !m_use_input_pmem && m_pInput_pmem[nBufIndex].buffer) #endif { DEBUG_PRINT_LOW("Heap UseBuffer case, so memcpy the data"); diff --git a/msm8996/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp b/msm8996/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp index d49d8501..fb9ec592 100644 --- a/msm8996/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp +++ b/msm8996/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp @@ -2429,7 +2429,7 @@ int omx_venc::async_message_process (void *context, void* message) omxhdr->nFlags = m_sVenc_msg->buf.flags; /*Use buffer case*/ - if (omx->output_use_buffer && !omx->m_use_output_pmem) { + if (omx->output_use_buffer && !omx->m_use_output_pmem && !omx->is_secure_session()) { DEBUG_PRINT_LOW("memcpy() for o/p Heap UseBuffer"); memcpy(omxhdr->pBuffer, (m_sVenc_msg->buf.ptrbuffer), diff --git a/msm8996/mm-video-v4l2/vidc/venc/src/video_encoder_device_v4l2.cpp b/msm8996/mm-video-v4l2/vidc/venc/src/video_encoder_device_v4l2.cpp index c984cce3..3886230e 100644 --- a/msm8996/mm-video-v4l2/vidc/venc/src/video_encoder_device_v4l2.cpp +++ b/msm8996/mm-video-v4l2/vidc/venc/src/video_encoder_device_v4l2.cpp @@ -838,6 +838,11 @@ bool venc_dev::venc_get_output_log_flag() int venc_dev::venc_output_log_buffers(const char *buffer_addr, int buffer_len) { + if (venc_handle->is_secure_session()) { + DEBUG_PRINT_ERROR("logging secure output buffers is not allowed!"); + return -1; + } + if (!m_debug.outfile) { int size = 0; if(m_sVenc_cfg.codectype == V4L2_PIX_FMT_MPEG4) { @@ -966,6 +971,11 @@ int venc_dev::venc_roiqp_log_buffers(OMX_QTI_VIDEO_CONFIG_ROIINFO *roiInfo) { int venc_dev::venc_input_log_buffers(OMX_BUFFERHEADERTYPE *pbuffer, int fd, int plane_offset, unsigned long inputformat) { + if (venc_handle->is_secure_session()) { + DEBUG_PRINT_ERROR("logging secure input buffers is not allowed!"); + return -1; + } + if (!m_debug.infile) { int size = snprintf(m_debug.infile_name, PROPERTY_VALUE_MAX, "%s/input_enc_%lu_%lu_%p.yuv", m_debug.log_loc, m_sVenc_cfg.input_width, m_sVenc_cfg.input_height, this); |