diff options
author | Praveen Chavan <pchavan@codeaurora.org> | 2016-04-11 17:32:55 -0700 |
---|---|---|
committer | Jessica Wagantall <jwagantall@cyngn.com> | 2016-06-07 15:34:03 -0700 |
commit | 98c95e1808e7a5f7d2600e11ef061faee9d4ae9d (patch) | |
tree | 1717b41e64cdbbf6f99e09b6461682d8515c31b8 | |
parent | f9a4018634a21e4a47c95b3a2712ca87dee2b968 (diff) | |
download | android_hardware_qcom_media-98c95e1808e7a5f7d2600e11ef061faee9d4ae9d.tar.gz android_hardware_qcom_media-98c95e1808e7a5f7d2600e11ef061faee9d4ae9d.tar.bz2 android_hardware_qcom_media-98c95e1808e7a5f7d2600e11ef061faee9d4ae9d.zip |
DO NOT MERGE mm-video-v4l2: venc: add safety checks for freeing buffers
Allow only up to 64 buffers on input/output port (since the
allocation bitmap is only 64-wide).
Add safety checks to free only as many buffers were allocated.
Fixes: Heap Overflow and Possible Local Privilege Escalation in
MediaServer (libOmxVenc problem)
Bug: 27532497
Ticket: CYNGNOS-2707
Change-Id: I31e576ef9dc542df73aa6b0ea113d72724b50fc6
(cherry picked from commit a3169f86efc63cd9d4eb28e4550444bd4a56bd21)
-rw-r--r-- | mm-video-v4l2/vidc/venc/inc/omx_video_base.h | 7 | ||||
-rw-r--r-- | mm-video-v4l2/vidc/venc/src/omx_video_base.cpp | 11 | ||||
-rw-r--r-- | mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp | 28 |
3 files changed, 37 insertions, 9 deletions
diff --git a/mm-video-v4l2/vidc/venc/inc/omx_video_base.h b/mm-video-v4l2/vidc/venc/inc/omx_video_base.h index 50153adc..5db06139 100644 --- a/mm-video-v4l2/vidc/venc/inc/omx_video_base.h +++ b/mm-video-v4l2/vidc/venc/inc/omx_video_base.h @@ -1,5 +1,5 @@ /*-------------------------------------------------------------------------- -Copyright (c) 2010-2014, The Linux Foundation. All rights reserved. +Copyright (c) 2010-2016, The Linux Foundation. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are @@ -141,9 +141,10 @@ static const char* MEM_DEVICE = "/dev/pmem_smipool"; & BITMASK_FLAG(mIndex)) #define BITMASK_ABSENT(mArray,mIndex) (((mArray)[BITMASK_OFFSET(mIndex)] \ & BITMASK_FLAG(mIndex)) == 0x0) -#ifdef _ANDROID_ICS_ + #define MAX_NUM_INPUT_BUFFERS 64 -#endif +#define MAX_NUM_OUTPUT_BUFFERS 64 + void* message_thread(void *); // OMX video class diff --git a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp index 1aee2c1e..36276780 100644 --- a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp +++ b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp @@ -1,5 +1,5 @@ /*-------------------------------------------------------------------------- -Copyright (c) 2010-2015, Linux Foundation. All rights reserved. +Copyright (c) 2010-2016, Linux Foundation. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: @@ -2409,7 +2409,6 @@ OMX_ERRORTYPE omx_video::use_output_buffer( *bufferHdr = (m_out_mem_ptr + i ); (*bufferHdr)->pBuffer = (OMX_U8 *)buffer; (*bufferHdr)->pAppPrivate = appData; - BITMASK_SET(&m_out_bm_count,i); if (!m_use_output_pmem) { #ifdef USE_ION @@ -2487,6 +2486,8 @@ OMX_ERRORTYPE omx_video::use_output_buffer( DEBUG_PRINT_ERROR("ERROR: dev_use_buf Failed for o/p buf"); return OMX_ErrorInsufficientResources; } + + BITMASK_SET(&m_out_bm_count,i); } else { DEBUG_PRINT_ERROR("ERROR: All o/p Buffers have been Used, invalid use_buf call for " "index = %u", i); @@ -3188,7 +3189,8 @@ OMX_ERRORTYPE omx_video::free_buffer(OMX_IN OMX_HANDLETYPE hComp, DEBUG_PRINT_LOW("free_buffer on i/p port - Port idx %u, actual cnt %u", nPortIndex, (unsigned int)m_sInPortDef.nBufferCountActual); - if (nPortIndex < m_sInPortDef.nBufferCountActual) { + if (nPortIndex < m_sInPortDef.nBufferCountActual && + BITMASK_PRESENT(&m_inp_bm_count, nPortIndex)) { // Clear the bit associated with it. BITMASK_CLEAR(&m_inp_bm_count,nPortIndex); free_input_buffer (buffer); @@ -3238,7 +3240,8 @@ OMX_ERRORTYPE omx_video::free_buffer(OMX_IN OMX_HANDLETYPE hComp, DEBUG_PRINT_LOW("free_buffer on o/p port - Port idx %u, actual cnt %u", nPortIndex, (unsigned int)m_sOutPortDef.nBufferCountActual); - if (nPortIndex < m_sOutPortDef.nBufferCountActual) { + if (nPortIndex < m_sOutPortDef.nBufferCountActual && + BITMASK_PRESENT(&m_out_bm_count, nPortIndex)) { // Clear the bit associated with it. BITMASK_CLEAR(&m_out_bm_count,nPortIndex); m_sOutPortDef.bPopulated = OMX_FALSE; diff --git a/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp b/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp index 70d62607..32d8c0af 100644 --- a/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp +++ b/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp @@ -594,6 +594,11 @@ OMX_ERRORTYPE omx_venc::set_parameter(OMX_IN OMX_HANDLETYPE hComp, DEBUG_PRINT_LOW("i/p actual cnt requested = %u", (unsigned int)portDefn->nBufferCountActual); DEBUG_PRINT_LOW("i/p min cnt requested = %u", (unsigned int)portDefn->nBufferCountMin); DEBUG_PRINT_LOW("i/p buffersize requested = %u", (unsigned int)portDefn->nBufferSize); + if (portDefn->nBufferCountActual > MAX_NUM_INPUT_BUFFERS) { + DEBUG_PRINT_ERROR("ERROR: (In_PORT) actual count (%u) exceeds max(%u)", + (unsigned int)portDefn->nBufferCountActual, (unsigned int)MAX_NUM_INPUT_BUFFERS); + return OMX_ErrorUnsupportedSetting; + } if (portDefn->nBufferCountMin > portDefn->nBufferCountActual) { DEBUG_PRINT_ERROR("ERROR: (In_PORT) Min buffers (%u) > actual count (%u)", (unsigned int)portDefn->nBufferCountMin, (unsigned int)portDefn->nBufferCountActual); @@ -642,6 +647,11 @@ OMX_ERRORTYPE omx_venc::set_parameter(OMX_IN OMX_HANDLETYPE hComp, DEBUG_PRINT_LOW("o/p actual cnt requested = %u", (unsigned int)portDefn->nBufferCountActual); DEBUG_PRINT_LOW("o/p min cnt requested = %u", (unsigned int)portDefn->nBufferCountMin); DEBUG_PRINT_LOW("o/p buffersize requested = %u", (unsigned int)portDefn->nBufferSize); + if (portDefn->nBufferCountActual > MAX_NUM_OUTPUT_BUFFERS) { + DEBUG_PRINT_ERROR("ERROR: (Out_PORT) actual count (%u) exceeds max(%u)", + (unsigned int)portDefn->nBufferCountActual, (unsigned int)MAX_NUM_OUTPUT_BUFFERS); + return OMX_ErrorUnsupportedSetting; + } if (portDefn->nBufferCountMin > portDefn->nBufferCountActual) { DEBUG_PRINT_ERROR("ERROR: (Out_PORT) Min buffers (%u) > actual count (%u)", (unsigned int)portDefn->nBufferCountMin, (unsigned int)portDefn->nBufferCountActual); @@ -1873,7 +1883,14 @@ OMX_ERRORTYPE omx_venc::component_deinit(OMX_IN OMX_HANDLETYPE hComp) if (m_out_mem_ptr) { DEBUG_PRINT_LOW("Freeing the Output Memory"); for (i=0; i< m_sOutPortDef.nBufferCountActual; i++ ) { - free_output_buffer (&m_out_mem_ptr[i]); + if (BITMASK_PRESENT(&m_out_bm_count, i)) { + BITMASK_CLEAR(&m_out_bm_count, i); + free_output_buffer (&m_out_mem_ptr[i]); + } + + if (release_output_done()) { + break; + } } free(m_out_mem_ptr); m_out_mem_ptr = NULL; @@ -1887,7 +1904,14 @@ OMX_ERRORTYPE omx_venc::component_deinit(OMX_IN OMX_HANDLETYPE hComp) ) { DEBUG_PRINT_LOW("Freeing the Input Memory"); for (i=0; i<m_sInPortDef.nBufferCountActual; i++ ) { - free_input_buffer (&m_inp_mem_ptr[i]); + if (BITMASK_PRESENT(&m_inp_bm_count, i)) { + BITMASK_CLEAR(&m_inp_bm_count, i); + free_input_buffer (&m_inp_mem_ptr[i]); + } + + if (release_input_done()) { + break; + } } |