mm-video-v4l2: venc: Use client allocated memory if available

IL client may free the buffer and calls for free buffer on IL component to free the buffer header. It may happen that the IL component may reject the free buffer due to various reasons. In such scenario, client might have already freed the memory allocated by client (such scenario will appear in use buffer mode of buffer allocation). Now accessing client buffer in such scenario may lead to use after free vulnerability. Added a flag to indicate if the client buffer is available to perform any operation on the client allocated memory. If not, restrict from doing any operation on client memory. CRs-Fixed: 2115779 Change-Id: I45e4f117e98588ee7c888ec5c1cb2424bc7e5fa3
author: Santhosh Behara <santhoshbehara@codeaurora.org> 2017-09-19 12:43:02 +0530
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2018-07-27 18:13:28 -0700
commit: 06a576016d6233ee8e42ea6e444c14428ce8eaff (patch)
tree: a691917e8920cbe6106e740aea49b559beb8f388
parent: 0931b64e4e824a3abe818755409791182a767775 (diff)
download: android_hardware_qcom_media-06a576016d6233ee8e42ea6e444c14428ce8eaff.tar.gz
android_hardware_qcom_media-06a576016d6233ee8e42ea6e444c14428ce8eaff.tar.bz2
android_hardware_qcom_media-06a576016d6233ee8e42ea6e444c14428ce8eaff.zip
3 files changed, 10 insertions, 1 deletions
diff --git a/mm-video-v4l2/vidc/venc/inc/omx_video_base.h b/mm-video-v4l2/vidc/venc/inc/omx_video_base.h
index 166e856e..936b1ff6 100644
--- a/mm-video-v4l2/vidc/venc/inc/omx_video_base.h
+++ b/mm-video-v4l2/vidc/venc/inc/omx_video_base.h
@@ -833,6 +833,7 @@ class omx_video: public qc_omx_component
 
         uint64_t m_out_bm_count;
         uint64_t m_client_out_bm_count;
+        uint64_t m_client_in_bm_count;
         uint64_t m_inp_bm_count;
         uint64_t m_flags;
         uint64_t m_etb_count;
diff --git a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
index c97a6627..f3aeb83d 100644
--- a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
+++ b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
@@ -290,6 +290,7 @@ omx_video::omx_video():
     allocate_native_handle(false),
     m_out_bm_count(0),
     m_client_out_bm_count(0),
+    m_client_in_bm_count(0),
     m_inp_bm_count(0),
     m_flags(0),
     m_etb_count(0),
@@ -2655,6 +2656,7 @@ OMX_ERRORTYPE  omx_video::use_input_buffer(
 
         *bufferHdr = (m_inp_mem_ptr + i);
         BITMASK_SET(&m_inp_bm_count,i);
+        BITMASK_SET(&m_client_in_bm_count,i);
 
         (*bufferHdr)->pBuffer           = (OMX_U8 *)buffer;
         (*bufferHdr)->nSize             = sizeof(OMX_BUFFERHEADERTYPE);
@@ -3671,6 +3673,10 @@ OMX_ERRORTYPE  omx_video::free_buffer(OMX_IN OMX_HANDLETYPE         hComp,
         nPortIndex = buffer - (OMX_BUFFERHEADERTYPE*)m_out_mem_ptr;
         if(BITMASK_PRESENT(&m_client_out_bm_count, nPortIndex))
             BITMASK_CLEAR(&m_client_out_bm_count,nPortIndex);
+    } else if (port == PORT_INDEX_IN) {
+        nPortIndex = buffer - (meta_mode_enable?meta_buffer_hdr:m_inp_mem_ptr);
+        if(BITMASK_PRESENT(&m_client_in_bm_count, nPortIndex))
+            BITMASK_CLEAR(&m_client_in_bm_count,nPortIndex);
     }
     if (m_state == OMX_StateIdle &&
             (BITMASK_PRESENT(&m_flags ,OMX_COMPONENT_LOADING_PENDING))) {
@@ -4042,7 +4048,7 @@ OMX_ERRORTYPE  omx_video::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE  hComp,
 
         auto_lock l(m_buf_lock);
         pmem_data_buf = (OMX_U8 *)m_pInput_pmem[nBufIndex].buffer;
-        if (pmem_data_buf && BITMASK_PRESENT(&m_inp_bm_count, nBufIndex)) {
+        if (pmem_data_buf && BITMASK_PRESENT(&m_client_in_bm_count, nBufIndex)) {
             memcpy (pmem_data_buf, (buffer->pBuffer + buffer->nOffset),
                     buffer->nFilledLen);
         }
diff --git a/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp b/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp
index e5ac098a..002e5644 100644
--- a/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp
+++ b/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp
@@ -2442,6 +2442,8 @@ OMX_ERRORTYPE  omx_venc::component_deinit(OMX_IN OMX_HANDLETYPE hComp)
         for (i=0; i<m_sInPortDef.nBufferCountActual; i++ ) {
             if (BITMASK_PRESENT(&m_inp_bm_count, i)) {
                 BITMASK_CLEAR(&m_inp_bm_count, i);
+                if (BITMASK_PRESENT(&m_client_in_bm_count, i))
+                    BITMASK_CLEAR(&m_client_in_bm_count, i);
                 free_input_buffer (&m_inp_mem_ptr[i]);
             }
author	Santhosh Behara <santhoshbehara@codeaurora.org>	2017-09-19 12:43:02 +0530
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2018-07-27 18:13:28 -0700
commit	06a576016d6233ee8e42ea6e444c14428ce8eaff (patch)
tree	a691917e8920cbe6106e740aea49b559beb8f388
parent	0931b64e4e824a3abe818755409791182a767775 (diff)
download	android_hardware_qcom_media-06a576016d6233ee8e42ea6e444c14428ce8eaff.tar.gz android_hardware_qcom_media-06a576016d6233ee8e42ea6e444c14428ce8eaff.tar.bz2 android_hardware_qcom_media-06a576016d6233ee8e42ea6e444c14428ce8eaff.zip