diff options
| author | Govindaraj Rajagopal <grajagop@codeaurora.org> | 2019-08-20 20:34:53 +0530 |
|---|---|---|
| committer | Sanjay Singh <sisanj@codeaurora.org> | 2019-09-12 12:24:06 +0530 |
| commit | b107ffda0d09d62628456a2a9c373585c5ccf843 (patch) | |
| tree | 43ec7f05c68865181d3dfdeb23cd0da6f16c9756 | |
| parent | 98b291fce23cf547b963fb87e9cbc1d42abe7b51 (diff) | |
| download | android_hardware_qcom_media-b107ffda0d09d62628456a2a9c373585c5ccf843.tar.gz android_hardware_qcom_media-b107ffda0d09d62628456a2a9c373585c5ccf843.tar.bz2 android_hardware_qcom_media-b107ffda0d09d62628456a2a9c373585c5ccf843.zip | |
mm-video-v4l2: venc: handle use after free on venc_dev
pthread_join(msg_thread_id) is called after deleting
venc_dev object. So member variables from venc_dev class
is accessed in VencEncMsgThread. So changed the sequence
to ensure thread_join before deleting venc_dev obj.
Change-Id: I0b49d9d9051d1e4e01ee507fe87a6df88f2b986d
Signed-off-by: Govindaraj Rajagopal <grajagop@codeaurora.org>
Signed-off-by: Sanjay Singh <sisanj@codeaurora.org>
4 files changed, 16 insertions, 7 deletions
diff --git a/mm-video-v4l2/vidc/venc/inc/omx_video_base.h b/mm-video-v4l2/vidc/venc/inc/omx_video_base.h index 32ef4cb6..f45d200e 100644 --- a/mm-video-v4l2/vidc/venc/inc/omx_video_base.h +++ b/mm-video-v4l2/vidc/venc/inc/omx_video_base.h @@ -215,6 +215,8 @@ static const char* MEM_DEVICE = "/dev/pmem_smipool"; #define VEN_LEVEL_H263_70 0x1C/* H.263 Level 70 */ #endif //_TARGET_KERNEL_VERSION_49_ +class omx_video; +void post_message(omx_video *omx, unsigned char id); void* message_thread_enc(void *); enum omx_venc_extradata_types { diff --git a/mm-video-v4l2/vidc/venc/src/omx_swvenc_mpeg4.cpp b/mm-video-v4l2/vidc/venc/src/omx_swvenc_mpeg4.cpp index 2f72020c..dc0b592e 100644 --- a/mm-video-v4l2/vidc/venc/src/omx_swvenc_mpeg4.cpp +++ b/mm-video-v4l2/vidc/venc/src/omx_swvenc_mpeg4.cpp @@ -1658,6 +1658,13 @@ OMX_ERRORTYPE omx_venc::component_deinit(OMX_IN OMX_HANDLETYPE hComp) DEBUG_PRINT_HIGH("Calling swvenc_deinit()"); swvenc_deinit(m_hSwVenc); + if (msg_thread_created) { + msg_thread_created = false; + msg_thread_stop = true; + post_message(this, OMX_COMPONENT_CLOSE_MSG); + DEBUG_PRINT_HIGH("omx_video: Waiting on Msg Thread exit"); + pthread_join(msg_thread_id,NULL); + } DEBUG_PRINT_HIGH("OMX_Venc:Component Deinit"); RETURN(OMX_ErrorNone); diff --git a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp index 1c1726b6..7fa178d3 100644 --- a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp +++ b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp @@ -345,17 +345,10 @@ omx_video::omx_video(): omx_video::~omx_video() { DEBUG_PRINT_HIGH("~omx_video(): Inside Destructor()"); - if (msg_thread_created) { - msg_thread_stop = true; - post_message(this, OMX_COMPONENT_CLOSE_MSG); - DEBUG_PRINT_HIGH("omx_video: Waiting on Msg Thread exit"); - pthread_join(msg_thread_id,NULL); - } close(m_pipe_in); close(m_pipe_out); m_pipe_in = -1; m_pipe_out = -1; - DEBUG_PRINT_HIGH("omx_video: Waiting on Async Thread exit"); /*For V4L2 based drivers, pthread_join is done in device_close * so no need to do it here*/ #ifndef _MSM8974_ diff --git a/mm-video-v4l2/vidc/venc/src/video_encoder_device_v4l2.cpp b/mm-video-v4l2/vidc/venc/src/video_encoder_device_v4l2.cpp index 8ce32c5f..2d097b3c 100644 --- a/mm-video-v4l2/vidc/venc/src/video_encoder_device_v4l2.cpp +++ b/mm-video-v4l2/vidc/venc/src/video_encoder_device_v4l2.cpp @@ -1671,6 +1671,13 @@ void venc_dev::venc_close() pthread_join(m_tid,NULL); } + if (venc_handle->msg_thread_created) { + venc_handle->msg_thread_created = false; + venc_handle->msg_thread_stop = true; + post_message(venc_handle, omx_video::OMX_COMPONENT_CLOSE_MSG); + DEBUG_PRINT_HIGH("omx_video: Waiting on Msg Thread exit"); + pthread_join(venc_handle->msg_thread_id, NULL); + } DEBUG_PRINT_HIGH("venc_close X"); unsubscribe_to_events(m_nDriver_fd); close(m_poll_efd); |