mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-06 13:18:02 -05:00
92 lines
3.8 KiB
Diff
92 lines
3.8 KiB
Diff
|
From 905826825e4459c0dfc9d6475e950d6be3a16fc7 Mon Sep 17 00:00:00 2001
|
||
|
From: Praveen Chavan <pchavan@codeaurora.org>
|
||
|
Date: Mon, 25 Apr 2016 11:51:05 -0700
|
||
|
Subject: mm-video-v4l2: venc: Avoid processing ETBs/FTBs in invalid states
|
||
|
|
||
|
(per the spec) ETB/FTB should not be handled in states other than
|
||
|
Executing, Paused and Idle. This avoids accessing invalid buffers.
|
||
|
Also add a lock to protect the private-buffers from being deleted
|
||
|
while accessing from another thread.
|
||
|
|
||
|
Bug: 27903498
|
||
|
Security Vulnerability - Heap Use-After-Free and Possible LPE in
|
||
|
MediaServer (libOmxVenc problem #3)
|
||
|
|
||
|
CRs-Fixed: 1010088
|
||
|
|
||
|
Change-Id: I898b42034c0add621d4f9d8e02ca0ed4403d4fd3
|
||
|
---
|
||
|
mm-video-v4l2/vidc/venc/src/omx_video_base.cpp | 20 ++++++++++++++++----
|
||
|
1 file changed, 16 insertions(+), 4 deletions(-)
|
||
|
|
||
|
diff --git a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
|
||
|
index a481872..df30748 100644
|
||
|
--- a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
|
||
|
+++ b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
|
||
|
@@ -2561,6 +2561,8 @@ OMX_ERRORTYPE omx_video::free_input_buffer(OMX_BUFFERHEADERTYPE *bufferHdr)
|
||
|
}
|
||
|
|
||
|
if (index < m_sInPortDef.nBufferCountActual && m_pInput_pmem) {
|
||
|
+ auto_lock l(m_lock);
|
||
|
+
|
||
|
if (m_pInput_pmem[index].fd > 0 && input_use_buffer == false) {
|
||
|
DEBUG_PRINT_LOW("FreeBuffer:: i/p AllocateBuffer case");
|
||
|
if(!secure_session) {
|
||
|
@@ -2568,6 +2570,7 @@ OMX_ERRORTYPE omx_video::free_input_buffer(OMX_BUFFERHEADERTYPE *bufferHdr)
|
||
|
} else {
|
||
|
free(m_pInput_pmem[index].buffer);
|
||
|
}
|
||
|
+ m_pInput_pmem[index].buffer = NULL;
|
||
|
close (m_pInput_pmem[index].fd);
|
||
|
#ifdef USE_ION
|
||
|
free_ion_memory(&m_pInput_ion[index]);
|
||
|
@@ -2581,6 +2584,7 @@ OMX_ERRORTYPE omx_video::free_input_buffer(OMX_BUFFERHEADERTYPE *bufferHdr)
|
||
|
}
|
||
|
if(!secure_session) {
|
||
|
munmap (m_pInput_pmem[index].buffer,m_pInput_pmem[index].size);
|
||
|
+ m_pInput_pmem[index].buffer = NULL;
|
||
|
}
|
||
|
close (m_pInput_pmem[index].fd);
|
||
|
#ifdef USE_ION
|
||
|
@@ -3296,7 +3300,9 @@ OMX_ERRORTYPE omx_video::empty_this_buffer(OMX_IN OMX_HANDLETYPE hComp,
|
||
|
unsigned int nBufferIndex ;
|
||
|
|
||
|
DEBUG_PRINT_LOW("ETB: buffer = %p, buffer->pBuffer[%p]", buffer, buffer->pBuffer);
|
||
|
- if (m_state == OMX_StateInvalid) {
|
||
|
+ if (m_state != OMX_StateExecuting &&
|
||
|
+ m_state != OMX_StatePause &&
|
||
|
+ m_state != OMX_StateIdle) {
|
||
|
DEBUG_PRINT_ERROR("ERROR: Empty this buffer in Invalid State");
|
||
|
return OMX_ErrorInvalidState;
|
||
|
}
|
||
|
@@ -3459,9 +3465,13 @@ OMX_ERRORTYPE omx_video::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE hComp,
|
||
|
#endif
|
||
|
{
|
||
|
DEBUG_PRINT_LOW("Heap UseBuffer case, so memcpy the data");
|
||
|
+
|
||
|
+ auto_lock l(m_lock);
|
||
|
pmem_data_buf = (OMX_U8 *)m_pInput_pmem[nBufIndex].buffer;
|
||
|
- memcpy (pmem_data_buf, (buffer->pBuffer + buffer->nOffset),
|
||
|
- buffer->nFilledLen);
|
||
|
+ if (pmem_data_buf) {
|
||
|
+ memcpy (pmem_data_buf, (buffer->pBuffer + buffer->nOffset),
|
||
|
+ buffer->nFilledLen);
|
||
|
+ }
|
||
|
DEBUG_PRINT_LOW("memcpy() done in ETBProxy for i/p Heap UseBuf");
|
||
|
} else if (mUseProxyColorFormat) {
|
||
|
// Gralloc-source buffers with color-conversion
|
||
|
@@ -3520,7 +3530,9 @@ OMX_ERRORTYPE omx_video::fill_this_buffer(OMX_IN OMX_HANDLETYPE hComp,
|
||
|
OMX_IN OMX_BUFFERHEADERTYPE* buffer)
|
||
|
{
|
||
|
DEBUG_PRINT_LOW("FTB: buffer->pBuffer[%p]", buffer->pBuffer);
|
||
|
- if (m_state == OMX_StateInvalid) {
|
||
|
+ if (m_state != OMX_StateExecuting &&
|
||
|
+ m_state != OMX_StatePause &&
|
||
|
+ m_state != OMX_StateIdle) {
|
||
|
DEBUG_PRINT_ERROR("ERROR: FTB in Invalid State");
|
||
|
return OMX_ErrorInvalidState;
|
||
|
}
|
||
|
--
|
||
|
cgit v1.1
|
||
|
|