From d74148e3925d07f708755c325d51a57cca75c8cb Mon Sep 17 00:00:00 2001 From: Praveen Chavan Date: Thu, 25 Aug 2016 18:15:24 -0700 Subject: DO NOT MERGE: mm-video-v4l2: venc: Disallow changing buffer count/size on allocated port Count and size negotiation of port-buffers should only be allowed when the port hasn't been allocated yet. Letting the client change count/size on a pre-allocated port will cause inconsistencies in the count/size of memory allocated for headers and internal lists. Fix resetting of buffer-base (m_inp_mem_ptr) when all buffers are freed, for all the buffer-modes. Bug: 29421682 Fixes: Local Privilege Escalation in MediaServer (libOmxVenc problem #10) Change-Id: I9abead969bc3c908e6db9beb6316fd572dac25f7 (cherry picked from commit 744b5eeaa2a1a48818580536451479acc9231f1a) --- mm-video-v4l2/vidc/venc/src/omx_video_base.cpp | 12 +++++------- mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp | 14 ++++++++++++++ 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp index e273105b..d51de80e 100644 --- a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp +++ b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp @@ -2966,17 +2966,15 @@ OMX_ERRORTYPE omx_video::free_buffer(OMX_IN OMX_HANDLETYPE hComp, m_sInPortDef.bPopulated = OMX_FALSE; /*Free the Buffer Header*/ - if (release_input_done() -#ifdef _ANDROID_ICS_ - && !meta_mode_enable -#endif - ) { + if (release_input_done()) { input_use_buffer = false; - if (m_inp_mem_ptr) { + // "m_inp_mem_ptr" may point to "meta_buffer_hdr" in some modes, + // in which case, it was not explicitly allocated + if (m_inp_mem_ptr && m_inp_mem_ptr != meta_buffer_hdr) { DEBUG_PRINT_LOW("Freeing m_inp_mem_ptr\n"); free (m_inp_mem_ptr); - m_inp_mem_ptr = NULL; } + m_inp_mem_ptr = NULL; if (m_pInput_pmem) { DEBUG_PRINT_LOW("Freeing m_pInput_pmem\n"); free(m_pInput_pmem); diff --git a/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp b/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp index 9a1829fe..29b679da 100644 --- a/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp +++ b/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp @@ -508,6 +508,13 @@ OMX_ERRORTYPE omx_venc::set_parameter(OMX_IN OMX_HANDLETYPE hComp, (unsigned int)portDefn->nBufferCountActual, (unsigned int)MAX_NUM_INPUT_BUFFERS); return OMX_ErrorUnsupportedSetting; } + + if (m_inp_mem_ptr && + (portDefn->nBufferCountActual != m_sInPortDef.nBufferCountActual || + portDefn->nBufferSize != m_sInPortDef.nBufferSize)) { + DEBUG_PRINT_ERROR("ERROR: (In_PORT) buffer count/size can change only if port is unallocated !"); + return OMX_ErrorInvalidState; + } if (portDefn->nBufferCountMin > portDefn->nBufferCountActual) { DEBUG_PRINT_ERROR("\nERROR: (In_PORT) Min buffers (%d) > actual count (%d)\n", portDefn->nBufferCountMin, portDefn->nBufferCountActual); @@ -560,6 +567,13 @@ OMX_ERRORTYPE omx_venc::set_parameter(OMX_IN OMX_HANDLETYPE hComp, (unsigned int)portDefn->nBufferCountActual, (unsigned int)MAX_NUM_OUTPUT_BUFFERS); return OMX_ErrorUnsupportedSetting; } + + if (m_out_mem_ptr && + (portDefn->nBufferCountActual != m_sOutPortDef.nBufferCountActual || + portDefn->nBufferSize != m_sOutPortDef.nBufferSize)) { + DEBUG_PRINT_ERROR("ERROR: (Out_PORT) buffer count/size can change only if port is unallocated !"); + return OMX_ErrorInvalidState; + } if (portDefn->nBufferCountMin > portDefn->nBufferCountActual) { DEBUG_PRINT_ERROR("\nERROR: (Out_PORT) Min buffers (%d) > actual count (%d)\n", portDefn->nBufferCountMin, portDefn->nBufferCountActual); -- cgit v1.2.3