diff options
| author | Praveen Chavan <pchavan@codeaurora.org> | 2016-04-25 11:51:05 -0700 |
|---|---|---|
| committer | Gerrit Code Review <gerrit@cyanogenmod.org> | 2016-06-08 17:35:24 -0700 |
| commit | 8f57a2b77e7cbd17a169c5ed825d3ebb2daf90fb (patch) | |
| tree | c504a0f1c63b4d4534e607607b719f330f4c0e9a | |
| parent | 05162cec9fcba4bc70b35cf4eaccd35f21245b6d (diff) | |
| download | android_hardware_qcom_media-stable/cm-13.0-caf-8994-ZNH2KB.tar.gz android_hardware_qcom_media-stable/cm-13.0-caf-8994-ZNH2KB.tar.bz2 android_hardware_qcom_media-stable/cm-13.0-caf-8994-ZNH2KB.zip | |
mm-video-v4l2: venc: Avoid processing ETBs/FTBs in invalid statesstable/cm-13.0-caf-8994-ZNH2KB
(per the spec) ETB/FTB should not be handled in states other than
Executing, Paused and Idle. This avoids accessing invalid buffers.
Also add a lock to protect the private-buffers from being deleted
while accessing from another thread.
Bug: 27903498
Ticket: CYNGNOS-3020
Security Vulnerability - Heap Use-After-Free and Possible LPE in
MediaServer (libOmxVenc problem #3)
CRs-Fixed: 1010088
Change-Id: I898b42034c0add621d4f9d8e02ca0ed4403d4fd3
| -rw-r--r-- | mm-video-v4l2/vidc/venc/src/omx_video_base.cpp | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp index cee93864..157afe3f 100644 --- a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp +++ b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp @@ -2616,6 +2616,8 @@ OMX_ERRORTYPE omx_video::free_input_buffer(OMX_BUFFERHEADERTYPE *bufferHdr) } if (index < m_sInPortDef.nBufferCountActual && m_pInput_pmem) { + auto_lock l(m_lock); + if (m_pInput_pmem[index].fd > 0 && input_use_buffer == false) { DEBUG_PRINT_LOW("FreeBuffer:: i/p AllocateBuffer case"); if(!secure_session) { @@ -2623,6 +2625,7 @@ OMX_ERRORTYPE omx_video::free_input_buffer(OMX_BUFFERHEADERTYPE *bufferHdr) } else { free(m_pInput_pmem[index].buffer); } + m_pInput_pmem[index].buffer = NULL; close (m_pInput_pmem[index].fd); #ifdef USE_ION free_ion_memory(&m_pInput_ion[index]); @@ -2636,6 +2639,7 @@ OMX_ERRORTYPE omx_video::free_input_buffer(OMX_BUFFERHEADERTYPE *bufferHdr) } if(!secure_session) { munmap (m_pInput_pmem[index].buffer,m_pInput_pmem[index].size); + m_pInput_pmem[index].buffer = NULL; } close (m_pInput_pmem[index].fd); #ifdef USE_ION @@ -3348,7 +3352,9 @@ OMX_ERRORTYPE omx_video::empty_this_buffer(OMX_IN OMX_HANDLETYPE hComp, unsigned int nBufferIndex ; DEBUG_PRINT_LOW("ETB: buffer = %p, buffer->pBuffer[%p]", buffer, buffer->pBuffer); - if (m_state == OMX_StateInvalid) { + if (m_state != OMX_StateExecuting && + m_state != OMX_StatePause && + m_state != OMX_StateIdle) { DEBUG_PRINT_ERROR("ERROR: Empty this buffer in Invalid State"); return OMX_ErrorInvalidState; } @@ -3518,9 +3524,13 @@ OMX_ERRORTYPE omx_video::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE hComp, #endif { DEBUG_PRINT_LOW("Heap UseBuffer case, so memcpy the data"); + + auto_lock l(m_lock); pmem_data_buf = (OMX_U8 *)m_pInput_pmem[nBufIndex].buffer; - memcpy (pmem_data_buf, (buffer->pBuffer + buffer->nOffset), - buffer->nFilledLen); + if (pmem_data_buf) { + memcpy (pmem_data_buf, (buffer->pBuffer + buffer->nOffset), + buffer->nFilledLen); + } DEBUG_PRINT_LOW("memcpy() done in ETBProxy for i/p Heap UseBuf"); } else if (mUseProxyColorFormat) { // Gralloc-source buffers with color-conversion @@ -3579,7 +3589,9 @@ OMX_ERRORTYPE omx_video::fill_this_buffer(OMX_IN OMX_HANDLETYPE hComp, OMX_IN OMX_BUFFERHEADERTYPE* buffer) { DEBUG_PRINT_LOW("FTB: buffer->pBuffer[%p]", buffer->pBuffer); - if (m_state == OMX_StateInvalid) { + if (m_state != OMX_StateExecuting && + m_state != OMX_StatePause && + m_state != OMX_StateIdle) { DEBUG_PRINT_ERROR("ERROR: FTB in Invalid State"); return OMX_ErrorInvalidState; } |