DivestOS/Patches/LineageOS-17.1/android_frameworks_av/378048.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Toni Heidenreich <tonihei@google.com>
Date: Wed, 6 Sep 2023 12:49:33 +0000
Subject: [PATCH] httplive: fix use-after-free

Implement a mutex to ensure secure multi-threaded
access to the KeyedVector in MetaDataBase.
Concurrent access by different threads can lead
to accessing the wrong memory location due to
potential changes in the vector

Bug: 298057702
Test: HTTP Live Streaming test
(cherry picked from https://partner-android-review.googlesource.com/q/commit:a2dfb31957a9d5358d0219a0eda7dcb5b0fff5fe)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:90fb4ca425444429ada6ce0de1c13d35829bc196)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3c1d9613ef64e01d2e81c4aa44c90dcd8ca958b9)
Merged-In: I46b05c85d9c39f4ce549efc160c08a0646c9fd0a
Change-Id: I46b05c85d9c39f4ce549efc160c08a0646c9fd0a
---
 media/libstagefright/foundation/MetaDataBase.cpp | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/media/libstagefright/foundation/MetaDataBase.cpp b/media/libstagefright/foundation/MetaDataBase.cpp
index bfea6f1537..a3c623e354 100644
--- a/media/libstagefright/foundation/MetaDataBase.cpp
+++ b/media/libstagefright/foundation/MetaDataBase.cpp
@@ -24,6 +24,8 @@
 #include <stdlib.h>
 #include <string.h>
 
+#include <mutex>
+
 #include <media/stagefright/foundation/ADebug.h>
 #include <media/stagefright/foundation/AString.h>
 #include <media/stagefright/foundation/hexdump.h>
@@ -75,6 +77,7 @@ struct MetaDataBase::Rect {
 
 
 struct MetaDataBase::MetaDataInternal {
+    std::mutex mLock;
     KeyedVector<uint32_t, MetaDataBase::typed_data> mItems;
 };
 
@@ -99,10 +102,12 @@ MetaDataBase::~MetaDataBase() {
 }
 
 void MetaDataBase::clear() {
+    std::lock_guard<std::mutex> guard(mInternalData->mLock);
     mInternalData->mItems.clear();
 }
 
 bool MetaDataBase::remove(uint32_t key) {
+    std::lock_guard<std::mutex> guard(mInternalData->mLock);
     ssize_t i = mInternalData->mItems.indexOfKey(key);
 
     if (i < 0) {
@@ -249,6 +254,7 @@ bool MetaDataBase::setData(
         uint32_t key, uint32_t type, const void *data, size_t size) {
     bool overwrote_existing = true;
 
+    std::lock_guard<std::mutex> guard(mInternalData->mLock);
     ssize_t i = mInternalData->mItems.indexOfKey(key);
     if (i < 0) {
         typed_data item;
@@ -266,6 +272,7 @@ bool MetaDataBase::setData(
 
 bool MetaDataBase::findData(uint32_t key, uint32_t *type,
                         const void **data, size_t *size) const {
+    std::lock_guard<std::mutex> guard(mInternalData->mLock);
     ssize_t i = mInternalData->mItems.indexOfKey(key);
 
     if (i < 0) {
@@ -280,6 +287,7 @@ bool MetaDataBase::findData(uint32_t key, uint32_t *type,
 }
 
 bool MetaDataBase::hasData(uint32_t key) const {
+    std::lock_guard<std::mutex> guard(mInternalData->mLock);
     ssize_t i = mInternalData->mItems.indexOfKey(key);
 
     if (i < 0) {
@@ -426,6 +434,7 @@ static void MakeFourCCString(uint32_t x, char *s) {
 
 String8 MetaDataBase::toString() const {
     String8 s;
+    std::lock_guard<std::mutex> guard(mInternalData->mLock);
     for (int i = mInternalData->mItems.size(); --i >= 0;) {
         int32_t key = mInternalData->mItems.keyAt(i);
         char cc[5];
@@ -440,6 +449,7 @@ String8 MetaDataBase::toString() const {
 }
 
 void MetaDataBase::dumpToLog() const {
+    std::lock_guard<std::mutex> guard(mInternalData->mLock);
     for (int i = mInternalData->mItems.size(); --i >= 0;) {
         int32_t key = mInternalData->mItems.keyAt(i);
         char cc[5];
@@ -451,6 +461,7 @@ void MetaDataBase::dumpToLog() const {
 
 status_t MetaDataBase::writeToParcel(Parcel &parcel) {
     status_t ret;
+    std::lock_guard<std::mutex> guard(mInternalData->mLock);
     size_t numItems = mInternalData->mItems.size();
     ret = parcel.writeUint32(uint32_t(numItems));
     if (ret) {
17.1: Import and verify picks https://review.lineageos.org/c/LineageOS/android_frameworks_base/+/353117 https://review.lineageos.org/q/topic:Q_asb_2023-03 https://review.lineageos.org/q/topic:Q_asb_2023-04 https://review.lineageos.org/q/topic:Q_asb_2023-05 https://review.lineageos.org/q/topic:Q_asb_2023-06 https://review.lineageos.org/q/topic:Q_asb_2023-07 https://review.lineageos.org/q/topic:Q_asb_2023-08 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376560 https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376561 https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376562 https://review.lineageos.org/q/topic:Q_asb_2023-09 https://review.lineageos.org/q/topic:Q_asb_2023-10 https://review.lineageos.org/q/topic:Q_asb_2023-11 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376563 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_webp/+/376568 https://review.lineageos.org/q/topic:Q_asb_2023-12 https://review.lineageos.org/q/topic:Q_asb_2024-01 https://review.lineageos.org/q/topic:Q_asb_2024-02 https://review.lineageos.org/q/topic:Q_asb_2024-03 Signed-off-by: Tavi <tavi@divested.dev> 2024-05-08 11:49:25 -04:00			`From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001`
			`From: Toni Heidenreich <tonihei@google.com>`
			`Date: Wed, 6 Sep 2023 12:49:33 +0000`
			`Subject: [PATCH] httplive: fix use-after-free`

			`Implement a mutex to ensure secure multi-threaded`
			`access to the KeyedVector in MetaDataBase.`
			`Concurrent access by different threads can lead`
			`to accessing the wrong memory location due to`
			`potential changes in the vector`

			`Bug: 298057702`
			`Test: HTTP Live Streaming test`
			`(cherry picked from https://partner-android-review.googlesource.com/q/commit:a2dfb31957a9d5358d0219a0eda7dcb5b0fff5fe)`
			`(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:90fb4ca425444429ada6ce0de1c13d35829bc196)`
			`(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3c1d9613ef64e01d2e81c4aa44c90dcd8ca958b9)`
			`Merged-In: I46b05c85d9c39f4ce549efc160c08a0646c9fd0a`
			`Change-Id: I46b05c85d9c39f4ce549efc160c08a0646c9fd0a`
			`---`
			`media/libstagefright/foundation/MetaDataBase.cpp \| 11 +++++++++++`
			`1 file changed, 11 insertions(+)`

			`diff --git a/media/libstagefright/foundation/MetaDataBase.cpp b/media/libstagefright/foundation/MetaDataBase.cpp`
			`index bfea6f1537..a3c623e354 100644`
			`--- a/media/libstagefright/foundation/MetaDataBase.cpp`
			`+++ b/media/libstagefright/foundation/MetaDataBase.cpp`
			`@@ -24,6 +24,8 @@`
			`#include <stdlib.h>`
			`#include <string.h>`

			`+#include <mutex>`
			`+`
			`#include <media/stagefright/foundation/ADebug.h>`
			`#include <media/stagefright/foundation/AString.h>`
			`#include <media/stagefright/foundation/hexdump.h>`
			`@@ -75,6 +77,7 @@ struct MetaDataBase::Rect {`


			`struct MetaDataBase::MetaDataInternal {`
			`+ std::mutex mLock;`
			`KeyedVector<uint32_t, MetaDataBase::typed_data> mItems;`
			`};`

			`@@ -99,10 +102,12 @@ MetaDataBase::~MetaDataBase() {`
			`}`

			`void MetaDataBase::clear() {`
			`+ std::lock_guard<std::mutex> guard(mInternalData->mLock);`
			`mInternalData->mItems.clear();`
			`}`

			`bool MetaDataBase::remove(uint32_t key) {`
			`+ std::lock_guard<std::mutex> guard(mInternalData->mLock);`
			`ssize_t i = mInternalData->mItems.indexOfKey(key);`

			`if (i < 0) {`
			`@@ -249,6 +254,7 @@ bool MetaDataBase::setData(`
			`uint32_t key, uint32_t type, const void *data, size_t size) {`
			`bool overwrote_existing = true;`

			`+ std::lock_guard<std::mutex> guard(mInternalData->mLock);`
			`ssize_t i = mInternalData->mItems.indexOfKey(key);`
			`if (i < 0) {`
			`typed_data item;`
			`@@ -266,6 +272,7 @@ bool MetaDataBase::setData(`

			`bool MetaDataBase::findData(uint32_t key, uint32_t *type,`
			`const void *data, size_t size) const {`
			`+ std::lock_guard<std::mutex> guard(mInternalData->mLock);`
			`ssize_t i = mInternalData->mItems.indexOfKey(key);`

			`if (i < 0) {`
			`@@ -280,6 +287,7 @@ bool MetaDataBase::findData(uint32_t key, uint32_t *type,`
			`}`

			`bool MetaDataBase::hasData(uint32_t key) const {`
			`+ std::lock_guard<std::mutex> guard(mInternalData->mLock);`
			`ssize_t i = mInternalData->mItems.indexOfKey(key);`

			`if (i < 0) {`
			`@@ -426,6 +434,7 @@ static void MakeFourCCString(uint32_t x, char *s) {`

			`String8 MetaDataBase::toString() const {`
			`String8 s;`
			`+ std::lock_guard<std::mutex> guard(mInternalData->mLock);`
			`for (int i = mInternalData->mItems.size(); --i >= 0;) {`
			`int32_t key = mInternalData->mItems.keyAt(i);`
			`char cc[5];`
			`@@ -440,6 +449,7 @@ String8 MetaDataBase::toString() const {`
			`}`

			`void MetaDataBase::dumpToLog() const {`
			`+ std::lock_guard<std::mutex> guard(mInternalData->mLock);`
			`for (int i = mInternalData->mItems.size(); --i >= 0;) {`
			`int32_t key = mInternalData->mItems.keyAt(i);`
			`char cc[5];`
			`@@ -451,6 +461,7 @@ void MetaDataBase::dumpToLog() const {`

			`status_t MetaDataBase::writeToParcel(Parcel &parcel) {`
			`status_t ret;`
			`+ std::lock_guard<std::mutex> guard(mInternalData->mLock);`
			`size_t numItems = mInternalData->mItems.size();`
			`ret = parcel.writeUint32(uint32_t(numItems));`
			`if (ret) {`