From f008eef0a1bfb6a6e37f0ba2241d9496354b2b7a Mon Sep 17 00:00:00 2001 From: Santhosh Behara Date: Tue, 19 Sep 2017 12:43:02 +0530 Subject: mm-video-v4l2: venc: Use client allocated memory if available IL client may free the buffer and calls for free buffer on IL component to free the buffer header. It may happen that the IL component may reject the free buffer due to various reasons. In such scenario, client might have already freed the memory allocated by client (such scenario will appear in use buffer mode of buffer allocation). Now accessing client buffer in such scenario may lead to use after free vulnerability. Added a flag to indicate if the client buffer is available to perform any operation on the client allocated memory. If not, restrict from doing any operation on client memory. CRs-Fixed: 2115779 Change-Id: I45e4f117e98588ee7c888ec5c1cb2424bc7e5fa3 --- mm-video-v4l2/vidc/venc/inc/omx_video_base.h | 1 + mm-video-v4l2/vidc/venc/src/omx_video_base.cpp | 8 +++++++- mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp | 2 ++ 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/mm-video-v4l2/vidc/venc/inc/omx_video_base.h b/mm-video-v4l2/vidc/venc/inc/omx_video_base.h index f325678e..5e2c088d 100644 --- a/mm-video-v4l2/vidc/venc/inc/omx_video_base.h +++ b/mm-video-v4l2/vidc/venc/inc/omx_video_base.h @@ -707,6 +707,7 @@ class omx_video: public qc_omx_component uint64_t m_out_bm_count; uint64_t m_client_out_bm_count; + uint64_t m_client_in_bm_count; uint64_t m_inp_bm_count; uint64_t m_flags; uint64_t m_etb_count; diff --git a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp index c0c697a1..89785b60 100644 --- a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp +++ b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp @@ -290,6 +290,7 @@ omx_video::omx_video(): allocate_native_handle(false), m_out_bm_count(0), m_client_out_bm_count(0), + m_client_in_bm_count(0), m_inp_bm_count(0), m_flags(0), m_etb_count(0), @@ -2645,6 +2646,7 @@ OMX_ERRORTYPE omx_video::use_input_buffer( *bufferHdr = (m_inp_mem_ptr + i); BITMASK_SET(&m_inp_bm_count,i); + BITMASK_SET(&m_client_in_bm_count,i); (*bufferHdr)->pBuffer = (OMX_U8 *)buffer; (*bufferHdr)->nSize = sizeof(OMX_BUFFERHEADERTYPE); @@ -3661,6 +3663,10 @@ OMX_ERRORTYPE omx_video::free_buffer(OMX_IN OMX_HANDLETYPE hComp, nPortIndex = buffer - (OMX_BUFFERHEADERTYPE*)m_out_mem_ptr; if(BITMASK_PRESENT(&m_client_out_bm_count, nPortIndex)) BITMASK_CLEAR(&m_client_out_bm_count,nPortIndex); + } else if (port == PORT_INDEX_IN) { + nPortIndex = buffer - (meta_mode_enable?meta_buffer_hdr:m_inp_mem_ptr); + if(BITMASK_PRESENT(&m_client_in_bm_count, nPortIndex)) + BITMASK_CLEAR(&m_client_in_bm_count,nPortIndex); } if (m_state == OMX_StateIdle && (BITMASK_PRESENT(&m_flags ,OMX_COMPONENT_LOADING_PENDING))) { @@ -4032,7 +4038,7 @@ OMX_ERRORTYPE omx_video::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE hComp, auto_lock l(m_buf_lock); pmem_data_buf = (OMX_U8 *)m_pInput_pmem[nBufIndex].buffer; - if (pmem_data_buf && BITMASK_PRESENT(&m_inp_bm_count, nBufIndex)) { + if (pmem_data_buf && BITMASK_PRESENT(&m_client_in_bm_count, nBufIndex)) { memcpy (pmem_data_buf, (buffer->pBuffer + buffer->nOffset), buffer->nFilledLen); } diff --git a/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp b/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp index ac5bfff8..8841fc1f 100644 --- a/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp +++ b/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp @@ -2431,6 +2431,8 @@ OMX_ERRORTYPE omx_venc::component_deinit(OMX_IN OMX_HANDLETYPE hComp) for (i=0; i