| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In secure mode, input buffer _must_ be allocated by the component to
allocate a secure buffer.
Client-supplied memory via usebuffer does not qualify as secure-memory
and must be rejected. This also avoids accidental heap-overflow while
copying bitstream from user-memory to a smaller-sized secure-payload
(usually the buffer-header itself)
CYNGNOS-3312
Bug : 30148882
Fixes : Heap Overflow/LPE in MediaServer (libOmxVdec problem #11)
Change-Id: I4f6017eae70d1b760a91be0cfcc356d380ec889b
(cherry picked from commit fd304685bb097f9ea519893c064405ad5be1109e)
|
|
|
|
|
|
|
|
|
|
|
| |
Heap pointers do not point to user virtual addresses in case
of secure session.
Set them to NULL and add checks to avoid accesing them
Ticket: CYNGNOS-3177
Bug: 28815329
Bug: 28920116
Change-Id: I27d02331d9613f4b20949457a8634924e767864e
|
|
|
|
|
|
|
|
|
|
| |
Set nAllocLen to the size of the opaque handle itself.
Ticket: CYNGNOS-3177
Bug: 28816964
Bug: 28816827
Change-Id: Id410e324bee291d4a0018dddb97eda9bbcded099
(cherry picked from commit 857df7fbafd5156d60df62d3ccb3cf7682b54197)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(per the spec) ETB/FTB should not be handled in states other than
Executing, Paused and Idle. This avoids accessing invalid buffers.
Also add a lock to protect the private-buffers from being deleted
while accessing from another thread.
Bug: 27903498
Ticket: CYNGNOS-3020
Security Vulnerability - Heap Use-After-Free and Possible LPE in
MediaServer (libOmxVenc problem #3)
CRs-Fixed: 1010088
Change-Id: I898b42034c0add621d4f9d8e02ca0ed4403d4fd3
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(per the spec) ETB/FTB should not be handled in states other than
Executing, Paused and Idle. This avoids accessing invalid buffers.
Also add a lock to protect the private-buffers from being deleted
while accessing from another thread.
Bug: 27890802
Ticket: CYNGNOS-3020
Security Vulnerability - Heap Use-After-Free and Possible LPE in
MediaServer (libOmxVdec problem #6)
CRs-Fixed: 1008882
Change-Id: Iaac2e383cd53cf9cf8042c9ed93ddc76dba3907e
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OMX_IndexVendorVideoExtraData
This config (used to set header offline) is no longer used. Remove handling
this config since it uses non-process-safe ways to pass memory pointers.
Fixes: Security Vulnerability - Segfault in MediaServer (libOmxVdec problem #2)
Bug: 27475409
Ticket: CYNGNOS-2707
Change-Id: I7a535a3da485cbe83cf4605a05f9faf70dcca42f
(cherry picked from commit d10bb6546aecfdb1e4b72c9716b7a2f20ae57810)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow only up to 64 buffers on input/output port (since the
allocation bitmap is only 64-wide).
Add safety checks to free only as many buffers were allocated.
Fixes: Heap Overflow and Possible Local Privilege Escalation in
MediaServer (libOmxVenc problem)
Bug: 27532497
Ticket: CYNGNOS-2707
Change-Id: I31e576ef9dc542df73aa6b0ea113d72724b50fc6
(cherry picked from commit a3169f86efc63cd9d4eb28e4550444bd4a56bd21)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Check the sanity of config/param strcuture objects
passed to get/set _ config()/parameter() methods.
Ticket: CYNGNOS-2707
Bug: 27533317
Security Vulnerability in MediaServer
omx_vdec::get_config() Can lead to arbitrary write
Change-Id: I6c3243afe12055ab94f1a1ecf758c10e88231809
Conflicts:
mm-core/inc/OMX_QCOMExtns.h
mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp
(cherry picked from commit 94ec2bcfeb52797b2efa9bb7f617fe19f3b60e0a)
Change-Id: I6587348940cd0df22725fa615cbc0b2902a31af5
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow only up to 64 buffers on input/output port (since the
allocation bitmap is only 64-wide).
Do not allow changing theactual buffer count while still
holding allocation (Client can technically negotiate
buffer count on a free/disabled port)
Add safety checks to free only as many buffers were allocated.
Fixes: Security Vulnerability - Heap Overflow and Possible Local
Privilege Escalation in MediaServer (libOmxVdec problem #3)
Bug: 27532282 27661749
Ticket: CYNGNOS-2707
Change-Id: I06dd680d43feaef3efdc87311e8a6703e234b523
(cherry picked from commit 22030a36dda4b93aed7bcc1ddf27ac62dc221ff1)
|
|
|
|
| |
Change-Id: I77803f255a073e2f4d1636609ea5456af2d7990c
|
|\
| |
| |
| |
| |
| | |
https://android.googlesource.com/platform/hardware/qcom/media into HEAD
Android 6.0.1 release 3
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Check if the content has valid colorspace info in the VUI
before overriding the default colorspace to display
Bug: 24841600
Change-Id: I0ccc888c601c4a6ef0c61f5a68062e9cf931eab8
|
| |
| |
| |
| |
| |
| |
| |
| | |
Enable VUI extradata only for AVC dec
b/24804777
Change-Id: I8f6731c78a3e9d803f2fd6fbaf6a1d93d1dec3d3
|
| |
| |
| |
| |
| |
| |
| |
| | |
There are duplcated aac audio decoder entry in the OMX table.
This fixes:
E OMXMaster: A component of name 'OMX.qcom.audio.decoder.aac' already exists, ignoring this one.
Change-Id: I09b8ae911659b8146c6c42f4b8b130a610fab391
|
| |
| |
| |
| |
| |
| | |
Fixes build on msm8974.
Change-Id: Ic997d5d58610278cb0951a5d8a508dbfb20c7ac3
|
|\ \
| | |
| | |
| | | |
Android 6.0.0 release 26
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Enable VUI extradata only for AVC dec
b/24804777
Change-Id: I8f6731c78a3e9d803f2fd6fbaf6a1d93d1dec3d3
|
| |\ \
| | |/
| |/| |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This is to reduce the chance of frame drops during high speed recording
or with high system load.
Bug: 24227252
Change-Id: I353a9ea5427eb7dc3f7a153abc75bc7f1514e455
|
| | |\ |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
- Enable low power mode for 4K recording
- Increasing min buff count for 4K session to 11 for power save mode.
Bug: 23505291
Change-Id: I6e35d373d7dc57f95f35d9a6acc45246552d21b2
|
| | | |\ |
|
| | | | |\ |
|
| | | | | |\ |
|
| | | | | | |\ |
|
| | | | | | | |\ |
|
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
Fix builds and disable extradata on legacy devices
Bug: 24444518
Change-Id: I4e355a50e1901d0a51045d7c4848aa22b03e5196
|
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
Enable and parse the VUI display info extradata to determine
the color space.
Author: Deva Ramasubramanian <dramasub@codeaurora.org>
Bug: 24444518
Change-Id: I7ed4b89a7c7ff792ee63d090e4d8265fc7eb225a
|
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
Indicate to the driver if the YUV is 601 (full ranged or clamped) or
709.
Bug: 24444518
Change-Id: I5f3fab9d4b97b5f21cfa5b94456dd9da8bc04844
|
| |/ / / / / / /
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
This is to reduce the chance of frame drops during high speed recording
or with high system load.
Bug: 24227252
Change-Id: I353a9ea5427eb7dc3f7a153abc75bc7f1514e455
|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
This reverts commit d265a5dd03b00d726dfad5ccaa0e95939ef7ab91.
Update color-conversion flag only if there is an update in
color-format. Updating the flag unconditionally from client thread
will cause message thread to read inconsistent values.
Also, Gralloc handle in ETB is valid only when the filled Len is non zero.
Hence, verifying color format and updating color conversion variable
only if buffer has valid handle.
Bug: 24015376
Change-Id: Ib7e097c45503dc01dd65283950b3dc0c187f1b96
|
| |/ / / / / /
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
- Enable low power mode for 4K recording
- Increasing min buff count for 4K session to 11 for power save mode.
Bug: 23505291
Change-Id: I6e35d373d7dc57f95f35d9a6acc45246552d21b2
|
| |\ \ \ \ \ \
| | |/ / / / /
| |/| | | | |
| | | | | | |
| | | | | | | |
* commit 'f23399fbd9d7bcdd9067a4881218ac16779ffebc':
mm-video-v4l2: vdec: Disable input buffer cached-allocations.
|
| | |/ / / /
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Metadata buffer |MetadataBufferType|buffer_handle_t| size can be
8 or 16 bytes on 32-bit or 64-bit respectively. Update the check
which always assumes 32-bit size.
bug: 22487196
Change-Id: Iab161ed455a6ea2842116c89b2e389cdccf867b8
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
A kernel variable was to be defined as unsigned long but
it is mistakenly defined as unsigned only, the space is
missing after long. This bug is silent because unsigned
is also a valid data type by itself.
Corresponding to kernel fix, similar correction is done
in userspace code.
Change-Id: Ie58f275149dc9c85553f75e02594113b1a03ddcf
CRs-fixed: 556771
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Change-Id: I7a238b7c105d58eb6ec7794ec7a6af37f63c4cb0
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Change-Id: I703cf1882fb1e6cffedc07ad4025d48e630f6236
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Change-Id: I7f18f9af0eac23baba2559b40dcddbc1081e91f5
|
|\ \ \ \ \ \
| |_|/ / / /
|/| | | | | |
|
| |\ \ \ \ \
| | |/ / / /
| |/| | | | |
|
| | |\ \ \ \
| | | |/ / /
| | |/| | | |
|
| | | |\ \ \
| | | | |/ /
| | | |/| /
| | | | |/ |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Input buffer queued with EOS flag may have 0 filled-length.
Ignore checks for pBuffer-sanity and continue to signal
EOS.
Bug: 21659665
Change-Id: I2d0e09ffe37e73b1799fd41a869cdf0372277ecf
|
|/ / / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Disable input buffer cacheing as cache flush is causing higher CPU
utilization and resulting in power regression for video playback power.
Bug: 21816928
Change-Id: I014b13e48793162f7905d916b92e8466de020472
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
While creating a new instance when HW is oveloaded,
we return error with out creating pipe fd's.
In omx_video destructor it is closing pipes, since
the pipes are not initialized there is a chance
of closing valid pipe fd's of running instances
because of some garbage values present in it.
Hence initialized with -1.
BUG: 21659665
Change-Id: I1e04a159c41c104959db27b657866120696cb842
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Operating-rate hints the incoming rate of frames in
real-time which can be different from the content fps.
This rate will use used to set the correct operating point
for encoder and decoder.
This config will fail with InSufficientResources if the
hardware cannot accomodate the requested operating rate.
Amended by Ashray Kulkarni <ashrayk@codeaurora.org>
bug: 20134262
Change-Id: If3f21067e31a4646ba143b1acd2d075421a6277a
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
when max instance count is reached, driver returns error, as part of
error handling (in some cases) close was not called, resulting in
increase of active instance count and memory leak. This change fixes
both instance cleanup and memory leak.
Bug: 20566750
Change-Id: I701fcf0aede048b2a36549cc4e971f976299d1aa
|
|/
|
|
|
|
|
|
|
|
| |
Input buffer queued with EOS flag may have 0 filled-length.
Ignore checks for pBuffer-sanity and continue to signal
EOS.
Bug: 21659665
Change-Id: I2d0e09ffe37e73b1799fd41a869cdf0372277ecf
|
|
|
|
|
|
|
|
| |
Set FLEXYUV_SUPPORTED to enable flex-yuv support
bug: 21596364
Change-Id: I97142cb7d83b369d6bc479f921111d1973478c96
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enable priority as hinted by the client:
priority = 0 => real-time
= 1 => non-realtime
Also add the OMX extension for priority and operating-rate.
Amended by Ashray Kulkarni <ashrayk@codeaurora.org>
Default sessions to non-realtime.
bug: 20131548
Change-Id: I37532404a4a3ab5647b3490c3e3ecba2ed604bbf
|