From 02d14db2220a11ee4292a53ddbb2969117aa49c5 Mon Sep 17 00:00:00 2001
From: Sri Karri <sridur@codeaurora.org>
Date: Fri, 16 Mar 2018 12:46:14 +0530
Subject: mm-video-v4l2: Protect buffer access and increase input buffer size.

Protect buffer access for below scenarios:
*Increase the scope of buf_lock in free_buffer to avoid access
 of freed buffer for both input and output buffers. Also, add check
 before output buffer access.
*Disallow allocate buffer mode after client has called use buffer.
Allocate additional 512 bytes of memory for input buffers on top of
allocation size as per hardware requirement.

CRs-Fixed: 2119840

Change-Id: Ic570d8248806ee492f68b51cb73139cf5c5028e5
---
 mm-video-v4l2/vidc/vdec/inc/omx_vdec.h           |  1 +
 mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp | 31 +++++++++++++++++++-----
 2 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h b/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h
index 34f9f8f8..7f80c627 100644
--- a/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h
+++ b/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h
@@ -1095,6 +1095,7 @@ class omx_vdec: public qc_omx_component
 #ifdef FLEXYUV_SUPPORTED
         static OMX_ERRORTYPE describeColorFormat(DescribeColorFormatParams *params);
 #endif
+        bool m_buffer_error;
 
         class client_extradata_info {
             private:
diff --git a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
index 87b49fb5..605c2e40 100644
--- a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
+++ b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
@@ -592,7 +592,8 @@ omx_vdec::omx_vdec(): m_error_propogated(false),
     ignore_not_coded_vops(true),
     m_last_rendered_TS(-1),
     m_queued_codec_config_count(0),
-    secure_scaling_to_non_secure_opb(false)
+    secure_scaling_to_non_secure_opb(false),
+    m_buffer_error(false)
 {
     /* Assumption is that , to begin with , we have all the frames with decoder */
     DEBUG_PRINT_HIGH("In %u bit OMX vdec Constructor", (unsigned int)sizeof(long) * 8);
@@ -4776,6 +4777,7 @@ OMX_ERRORTYPE  omx_vdec::use_output_buffer(
         eRet = allocate_output_headers();
         if (eRet == OMX_ErrorNone)
             eRet = allocate_extradata();
+        output_use_buffer = true;
     }
 
     if (eRet == OMX_ErrorNone) {
@@ -5191,7 +5193,6 @@ OMX_ERRORTYPE omx_vdec::free_input_buffer(OMX_BUFFERHEADERTYPE *bufferHdr)
     index = bufferHdr - m_inp_mem_ptr;
     DEBUG_PRINT_LOW("Free Input Buffer index = %d",index);
 
-    auto_lock l(buf_lock);
     bufferHdr->pInputPortPrivate = NULL;
 
     if (index < drv_ctx.ip_buf.actualcount && drv_ctx.ptr_inputbuffer) {
@@ -5405,6 +5406,7 @@ OMX_ERRORTYPE  omx_vdec::allocate_input_buffer(
     unsigned   i = 0;
     unsigned char *buf_addr = NULL;
     int pmem_fd = -1;
+    unsigned int align_size = 0;
 
     (void) hComp;
     (void) port;
@@ -5464,8 +5466,10 @@ OMX_ERRORTYPE  omx_vdec::allocate_input_buffer(
         int rc;
         DEBUG_PRINT_LOW("Allocate input Buffer");
 #ifdef USE_ION
+        align_size = drv_ctx.ip_buf.buffer_size + 512;
+        align_size = (align_size + drv_ctx.ip_buf.alignment - 1)&(~(drv_ctx.ip_buf.alignment - 1));
         drv_ctx.ip_buf_ion_info[i].ion_device_fd = alloc_map_ion_memory(
-                drv_ctx.ip_buf.buffer_size,drv_ctx.op_buf.alignment,
+                align_size, drv_ctx.op_buf.alignment,
                 &drv_ctx.ip_buf_ion_info[i].ion_alloc_data,
                 &drv_ctx.ip_buf_ion_info[i].fd_ion_data, secure_mode ? ION_SECURE : 0);
         if (drv_ctx.ip_buf_ion_info[i].ion_device_fd < 0) {
@@ -5956,6 +5960,10 @@ OMX_ERRORTYPE  omx_vdec::allocate_buffer(OMX_IN OMX_HANDLETYPE                hC
             eRet = allocate_input_buffer(hComp,bufferHdr,port,appData,bytes);
         }
     } else if (port == OMX_CORE_OUTPUT_PORT_INDEX) {
+        if (output_use_buffer) {
+            DEBUG_PRINT_ERROR("Allocate output buffer not allowed after use buffer");
+            return OMX_ErrorBadParameter;
+        }
         eRet = client_buffers.allocate_buffers_color_convert(hComp,bufferHdr,port,
                 appData,bytes);
     } else {
@@ -6016,6 +6024,7 @@ OMX_ERRORTYPE  omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE         hComp,
     (void) hComp;
     DEBUG_PRINT_LOW("In for decoder free_buffer");
 
+    auto_lock l(buf_lock);
     if (m_state == OMX_StateIdle &&
             (BITMASK_PRESENT(&m_flags ,OMX_COMPONENT_LOADING_PENDING))) {
         DEBUG_PRINT_LOW(" free buffer while Component in Loading pending");
@@ -6032,7 +6041,7 @@ OMX_ERRORTYPE  omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE         hComp,
         post_event(OMX_EventError,
                 OMX_ErrorPortUnpopulated,
                 OMX_COMPONENT_GENERATE_EVENT);
-
+        m_buffer_error = true;
         return OMX_ErrorIncorrectStateOperation;
     } else if (m_state != OMX_StateInvalid) {
         DEBUG_PRINT_ERROR("Invalid state to free buffer,port lost Buffers");
@@ -6137,6 +6146,7 @@ OMX_ERRORTYPE  omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE         hComp,
             BITMASK_CLEAR((&m_flags),OMX_COMPONENT_LOADING_PENDING);
             post_event(OMX_CommandStateSet, OMX_StateLoaded,
                     OMX_COMPONENT_GENERATE_EVENT);
+            m_buffer_error = false;
         }
     }
     return eRet;
@@ -6327,6 +6337,10 @@ OMX_ERRORTYPE  omx_vdec::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE  hComp,
     if (!temp_buffer || (temp_buffer -  drv_ctx.ptr_inputbuffer) > (int)drv_ctx.ip_buf.actualcount) {
         return OMX_ErrorBadParameter;
     }
+    if (BITMASK_ABSENT(&m_inp_bm_count, nPortIndex) || m_buffer_error) {
+        DEBUG_PRINT_ERROR("ETBProxy: ERROR: invalid buffer, nPortIndex %u", nPortIndex);
+        return OMX_ErrorBadParameter;
+    }
     /* If its first frame, H264 codec and reject is true, then parse the nal
        and get the profile. Based on this, reject the clip playback */
     if (first_frame == 0 && codec_type_parse == CODEC_TYPE_H264 &&
@@ -6622,6 +6636,7 @@ OMX_ERRORTYPE  omx_vdec::fill_this_buffer_proxy(
     struct vdec_bufferpayload     *ptr_outputbuffer = NULL;
     struct vdec_output_frameinfo  *ptr_respbuffer = NULL;
 
+    auto_lock l(buf_lock);
     nPortIndex = buffer-((OMX_BUFFERHEADERTYPE *)client_buffers.get_il_buf_hdr());
 
     if (bufferAdd == NULL || nPortIndex >= drv_ctx.op_buf.actualcount) {
@@ -6629,7 +6644,10 @@ OMX_ERRORTYPE  omx_vdec::fill_this_buffer_proxy(
             nPortIndex, drv_ctx.op_buf.actualcount);
         return OMX_ErrorBadParameter;
     }
-
+    if (BITMASK_ABSENT(&m_out_bm_count, nPortIndex) || m_buffer_error) {
+        DEBUG_PRINT_ERROR("FTBProxy: ERROR: invalid buffer, nPortIndex %u", nPortIndex);
+        return OMX_ErrorBadParameter;
+    }
     DEBUG_PRINT_LOW("FTBProxy: bufhdr = %p, bufhdr->pBuffer = %p",
             bufferAdd, bufferAdd->pBuffer);
     /*Return back the output buffer to client*/
@@ -7835,7 +7853,8 @@ int omx_vdec::async_message_process (void *context, void* message)
                         output_respbuf->pic_type = PICTURE_TYPE_B;
                     }
 
-                    if (omx->output_use_buffer)
+                    if (!omx->m_enable_android_native_buffers &&
+                        omx->output_use_buffer)
                         memcpy ( omxhdr->pBuffer, (void *)
                                 ((unsigned long)vdec_msg->msgdata.output_frame.bufferaddr +
                                  (unsigned long)vdec_msg->msgdata.output_frame.offset),
-- 
cgit v1.2.3