diff options
author | Santhosh Behara <santhoshbehara@codeaurora.org> | 2017-09-19 12:43:02 +0530 |
---|---|---|
committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2018-07-27 18:13:28 -0700 |
commit | 06a576016d6233ee8e42ea6e444c14428ce8eaff (patch) | |
tree | a691917e8920cbe6106e740aea49b559beb8f388 | |
parent | 0931b64e4e824a3abe818755409791182a767775 (diff) | |
download | android_hardware_qcom_media-06a576016d6233ee8e42ea6e444c14428ce8eaff.tar.gz android_hardware_qcom_media-06a576016d6233ee8e42ea6e444c14428ce8eaff.tar.bz2 android_hardware_qcom_media-06a576016d6233ee8e42ea6e444c14428ce8eaff.zip |
mm-video-v4l2: venc: Use client allocated memory if available
IL client may free the buffer and calls for free buffer on IL
component to free the buffer header. It may happen that the IL
component may reject the free buffer due to various reasons.
In such scenario, client might have already freed the memory
allocated by client (such scenario will appear in use buffer
mode of buffer allocation). Now accessing client buffer in
such scenario may lead to use after free vulnerability.
Added a flag to indicate if the client buffer is available to
perform any operation on the client allocated memory. If not,
restrict from doing any operation on client memory.
CRs-Fixed: 2115779
Change-Id: I45e4f117e98588ee7c888ec5c1cb2424bc7e5fa3
-rw-r--r-- | mm-video-v4l2/vidc/venc/inc/omx_video_base.h | 1 | ||||
-rw-r--r-- | mm-video-v4l2/vidc/venc/src/omx_video_base.cpp | 8 | ||||
-rw-r--r-- | mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp | 2 |
3 files changed, 10 insertions, 1 deletions
diff --git a/mm-video-v4l2/vidc/venc/inc/omx_video_base.h b/mm-video-v4l2/vidc/venc/inc/omx_video_base.h index 166e856e..936b1ff6 100644 --- a/mm-video-v4l2/vidc/venc/inc/omx_video_base.h +++ b/mm-video-v4l2/vidc/venc/inc/omx_video_base.h @@ -833,6 +833,7 @@ class omx_video: public qc_omx_component uint64_t m_out_bm_count; uint64_t m_client_out_bm_count; + uint64_t m_client_in_bm_count; uint64_t m_inp_bm_count; uint64_t m_flags; uint64_t m_etb_count; diff --git a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp index c97a6627..f3aeb83d 100644 --- a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp +++ b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp @@ -290,6 +290,7 @@ omx_video::omx_video(): allocate_native_handle(false), m_out_bm_count(0), m_client_out_bm_count(0), + m_client_in_bm_count(0), m_inp_bm_count(0), m_flags(0), m_etb_count(0), @@ -2655,6 +2656,7 @@ OMX_ERRORTYPE omx_video::use_input_buffer( *bufferHdr = (m_inp_mem_ptr + i); BITMASK_SET(&m_inp_bm_count,i); + BITMASK_SET(&m_client_in_bm_count,i); (*bufferHdr)->pBuffer = (OMX_U8 *)buffer; (*bufferHdr)->nSize = sizeof(OMX_BUFFERHEADERTYPE); @@ -3671,6 +3673,10 @@ OMX_ERRORTYPE omx_video::free_buffer(OMX_IN OMX_HANDLETYPE hComp, nPortIndex = buffer - (OMX_BUFFERHEADERTYPE*)m_out_mem_ptr; if(BITMASK_PRESENT(&m_client_out_bm_count, nPortIndex)) BITMASK_CLEAR(&m_client_out_bm_count,nPortIndex); + } else if (port == PORT_INDEX_IN) { + nPortIndex = buffer - (meta_mode_enable?meta_buffer_hdr:m_inp_mem_ptr); + if(BITMASK_PRESENT(&m_client_in_bm_count, nPortIndex)) + BITMASK_CLEAR(&m_client_in_bm_count,nPortIndex); } if (m_state == OMX_StateIdle && (BITMASK_PRESENT(&m_flags ,OMX_COMPONENT_LOADING_PENDING))) { @@ -4042,7 +4048,7 @@ OMX_ERRORTYPE omx_video::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE hComp, auto_lock l(m_buf_lock); pmem_data_buf = (OMX_U8 *)m_pInput_pmem[nBufIndex].buffer; - if (pmem_data_buf && BITMASK_PRESENT(&m_inp_bm_count, nBufIndex)) { + if (pmem_data_buf && BITMASK_PRESENT(&m_client_in_bm_count, nBufIndex)) { memcpy (pmem_data_buf, (buffer->pBuffer + buffer->nOffset), buffer->nFilledLen); } diff --git a/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp b/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp index e5ac098a..002e5644 100644 --- a/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp +++ b/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp @@ -2442,6 +2442,8 @@ OMX_ERRORTYPE omx_venc::component_deinit(OMX_IN OMX_HANDLETYPE hComp) for (i=0; i<m_sInPortDef.nBufferCountActual; i++ ) { if (BITMASK_PRESENT(&m_inp_bm_count, i)) { BITMASK_CLEAR(&m_inp_bm_count, i); + if (BITMASK_PRESENT(&m_client_in_bm_count, i)) + BITMASK_CLEAR(&m_client_in_bm_count, i); free_input_buffer (&m_inp_mem_ptr[i]); } |