diff options
| author | Ray Essick <essick@google.com> | 2017-03-10 16:03:40 -0800 |
|---|---|---|
| committer | Andreas Blaesius <skate4life@gmx.de> | 2017-09-17 22:10:51 +0200 |
| commit | 3e4b5ffa75da6a24bf6aef1599f7a7dac96fddf0 (patch) | |
| tree | 6f203e2d98a7a8102949d08cbccdfe69b2eafba4 | |
| parent | da0195867c0b6462b7d94dc268e4d196ee7b035d (diff) | |
| download | frameworks_av-3e4b5ffa75da6a24bf6aef1599f7a7dac96fddf0.tar.gz frameworks_av-3e4b5ffa75da6a24bf6aef1599f7a7dac96fddf0.tar.bz2 frameworks_av-3e4b5ffa75da6a24bf6aef1599f7a7dac96fddf0.zip | |
Fix TOCTOU problem in libstagefright_soft_aacenc
Fixes a configuration error where we sized a buffer initially based
on the configuration at the time and held onto the buffer through the
rest of our lifetime. If the configuration was changed in a way that
resulted in needing a different size buffer, the code did not make
this happen.
Patch keeps the buffer around but also stores the 'current allocation
size'. This allows the later code that preps the buffer to query if
the buffer size is same or changed. If changed, we discard the old
buffer and allocate a new one of the appropriate size.
safetynet logging added so we can tell how often this happens in the
field.
Testing was done on nyc-mr2 (where poc was built). Patch applies
without change to k/l/m/n/master.
Bug: 34621073
Test: run POC, saw new diagnostics saying it caught the size change.
Change-Id: Ia95aadc8c727434b7ba9628deeae327c405336d3
(cherry picked from commit 0495c029bd51bcfc1cca8c943ab4ce2f201dbe98)
CVE-2017-0756
| -rw-r--r-- | media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp | 12 | ||||
| -rw-r--r-- | media/libstagefright/codecs/aacenc/SoftAACEncoder2.h | 1 |
2 files changed, 13 insertions, 0 deletions
diff --git a/media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp b/media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp index 63096f117e..8a7a5cc570 100644 --- a/media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp +++ b/media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp @@ -16,6 +16,7 @@ //#define LOG_NDEBUG 0 #define LOG_TAG "SoftAACEncoder2" +#include <log/log.h> #include <utils/Log.h> #include "SoftAACEncoder2.h" @@ -51,6 +52,7 @@ SoftAACEncoder2::SoftAACEncoder2( mSentCodecSpecificData(false), mInputSize(0), mInputFrame(NULL), + mAllocatedFrameSize(0), mInputTimeUs(-1ll), mSawInputEOS(false), mSignalledError(false) { @@ -532,6 +534,15 @@ void SoftAACEncoder2::onQueueFilled(OMX_U32 /* portIndex */) { if (mInputFrame == NULL) { mInputFrame = new int16_t[numBytesPerInputFrame / sizeof(int16_t)]; + mAllocatedFrameSize = numBytesPerInputFrame; + } else if (mAllocatedFrameSize != numBytesPerInputFrame) { + ALOGE("b/34621073: changed size from %d to %d", + (int)mAllocatedFrameSize, (int)numBytesPerInputFrame); + android_errorWriteLog(0x534e4554,"34621073"); + delete mInputFrame; + mInputFrame = new int16_t[numBytesPerInputFrame / sizeof(int16_t)]; + mAllocatedFrameSize = numBytesPerInputFrame; + } if (mInputSize == 0) { @@ -682,6 +693,7 @@ void SoftAACEncoder2::onReset() { delete[] mInputFrame; mInputFrame = NULL; mInputSize = 0; + mAllocatedFrameSize = 0; mSentCodecSpecificData = false; mInputTimeUs = -1ll; diff --git a/media/libstagefright/codecs/aacenc/SoftAACEncoder2.h b/media/libstagefright/codecs/aacenc/SoftAACEncoder2.h index f1b81e18f6..123fd253f7 100644 --- a/media/libstagefright/codecs/aacenc/SoftAACEncoder2.h +++ b/media/libstagefright/codecs/aacenc/SoftAACEncoder2.h @@ -62,6 +62,7 @@ private: bool mSentCodecSpecificData; size_t mInputSize; int16_t *mInputFrame; + size_t mAllocatedFrameSize; int64_t mInputTimeUs; bool mSawInputEOS; |