diff options
author | Mahesh Lanka <mlanka@codeaurora.org> | 2016-10-12 14:44:30 +0530 |
---|---|---|
committer | Jessica Wagantall <jwagantall@cyngn.com> | 2016-12-09 11:03:14 -0800 |
commit | 62f8a92576089bf7740f0531179624c2f8d71500 (patch) | |
tree | 4a22bb0defdf7d66988d573db0ce404f8c11d7ad | |
parent | f582d1da8fc514d957f3beabcf91b46a2cc9b498 (diff) | |
download | android_hardware_qcom_media-62f8a92576089bf7740f0531179624c2f8d71500.tar.gz android_hardware_qcom_media-62f8a92576089bf7740f0531179624c2f8d71500.tar.bz2 android_hardware_qcom_media-62f8a92576089bf7740f0531179624c2f8d71500.zip |
mm-video-v4l2: vdec: Disallow input usebuffer for secure casestable/cm-13.0-caf-8916-ZNH0E
In secure mode, input buffer _must_ be allocated by the component to
allocate a secure buffer.
Client-supplied memory via usebuffer does not qualify as secure-memory
and must be rejected. This also avoids accidental heap-overflow while
copying bitstream from user-memory to a smaller-sized secure-payload
(usually the buffer-header itself)
CYNGNOS-3312
Bug : 30148882
Fixes : Heap Overflow/LPE in MediaServer (libOmxVdec problem #11)
Change-Id: I4f6017eae70d1b760a91be0cfcc356d380ec889b
(cherry picked from commit fd304685bb097f9ea519893c064405ad5be1109e)
-rw-r--r-- | mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp index 16b0b6f9..251ae514 100644 --- a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp +++ b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp @@ -4920,6 +4920,12 @@ OMX_ERRORTYPE omx_vdec::use_input_heap_buffers( { DEBUG_PRINT_LOW("Inside %s, %p", __FUNCTION__, buffer); OMX_ERRORTYPE eRet = OMX_ErrorNone; + + if (secure_mode) { + DEBUG_PRINT_ERROR("use_input_heap_buffers is not allowed in secure mode"); + return OMX_ErrorUndefined; + } + if (!m_inp_heap_ptr) m_inp_heap_ptr = (OMX_BUFFERHEADERTYPE*) calloc( (sizeof(OMX_BUFFERHEADERTYPE)), @@ -6167,7 +6173,7 @@ OMX_ERRORTYPE omx_vdec::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE hComp, /*for use buffer we need to memcpy the data*/ temp_buffer->buffer_len = buffer->nFilledLen; - if (input_use_buffer) { + if (input_use_buffer && !secure_mode) { if (buffer->nFilledLen <= temp_buffer->buffer_len) { if (arbitrary_bytes) { memcpy (temp_buffer->bufferaddr, (buffer->pBuffer + buffer->nOffset),buffer->nFilledLen); |