From 050da06eba1e64904a6dc89b1d6ced737991b6dc Mon Sep 17 00:00:00 2001 From: Tad Date: Fri, 9 Jul 2021 21:04:08 -0400 Subject: [PATCH] Move n_asb_09-2018-qcom in tree --- .../227623.patch | 28 +++ .../227624.patch | 29 +++ .../229952.patch | 46 +++++ .../android_hardware_qcom_media/227620.patch | 186 +++++++++++++++++ .../android_hardware_qcom_media/227622.patch | 192 ++++++++++++++++++ .../android_hardware_qcom_media/229950.patch | 179 ++++++++++++++++ .../android_hardware_qcom_media/229951.patch | 175 ++++++++++++++++ Scripts/LineageOS-14.1/Functions.sh | 1 - Scripts/LineageOS-14.1/Patch.sh | 22 ++ 9 files changed, 857 insertions(+), 1 deletion(-) create mode 100644 Patches/LineageOS-14.1/android_hardware_qcom_display/227623.patch create mode 100644 Patches/LineageOS-14.1/android_hardware_qcom_display/227624.patch create mode 100644 Patches/LineageOS-14.1/android_hardware_qcom_display/229952.patch create mode 100644 Patches/LineageOS-14.1/android_hardware_qcom_media/227620.patch create mode 100644 Patches/LineageOS-14.1/android_hardware_qcom_media/227622.patch create mode 100644 Patches/LineageOS-14.1/android_hardware_qcom_media/229950.patch create mode 100644 Patches/LineageOS-14.1/android_hardware_qcom_media/229951.patch diff --git a/Patches/LineageOS-14.1/android_hardware_qcom_display/227623.patch b/Patches/LineageOS-14.1/android_hardware_qcom_display/227623.patch new file mode 100644 index 00000000..0fef0d75 --- /dev/null +++ b/Patches/LineageOS-14.1/android_hardware_qcom_display/227623.patch @@ -0,0 +1,28 @@ +From 884ada777494cfb80ec77739703d6eef66c40d1e Mon Sep 17 00:00:00 2001 +From: Courtney Goeltzenleuchter +Date: Thu, 24 May 2018 08:23:55 -0600 +Subject: [PATCH] Fix Buffer Overflow in Vendor Service display.qservice + +Bug: 63145942 +Test: adb shell vndservice call display.qservice 36 s16 sdlkfjsadlfkjasdf +Change-Id: I3fdf5ccd2bf4ed0fa980883fefdb57eb5fbfeee7 +(cherry picked from commit 4050091844ccd427587024e5fd916113a5cc0029) +--- + sdm/libs/hwc2/hwc_session.cpp | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sdm/libs/hwc2/hwc_session.cpp b/sdm/libs/hwc2/hwc_session.cpp +index d3c13eee9..90aa4f219 100644 +--- a/sdm/libs/hwc2/hwc_session.cpp ++++ b/sdm/libs/hwc2/hwc_session.cpp +@@ -1240,6 +1240,10 @@ android::status_t HWCSession::SetColorModeOverride(const android::Parcel *input_ + auto mode = static_cast(input_parcel->readInt32()); + auto device = static_cast(this); + ++ if (display > HWC_DISPLAY_VIRTUAL) { ++ return -EINVAL; ++ } ++ + if (display >= HWC_NUM_DISPLAY_TYPES) { + return -EINVAL; + } diff --git a/Patches/LineageOS-14.1/android_hardware_qcom_display/227624.patch b/Patches/LineageOS-14.1/android_hardware_qcom_display/227624.patch new file mode 100644 index 00000000..8ffb54aa --- /dev/null +++ b/Patches/LineageOS-14.1/android_hardware_qcom_display/227624.patch @@ -0,0 +1,29 @@ +From 6cabf9c6ba281ab44a6b94f0b5f8c3c2026416f9 Mon Sep 17 00:00:00 2001 +From: Courtney Goeltzenleuchter +Date: Thu, 24 May 2018 08:23:55 -0600 +Subject: [PATCH] Fix Buffer Overflow in Vendor Service display.qservice + +Bug: 63145942 +Test: adb shell vndservice call display.qservice 36 s16 sdlkfjsadlfkjasdf +Change-Id: I3fdf5ccd2bf4ed0fa980883fefdb57eb5fbfeee7 +(cherry picked from commit 4050091844ccd427587024e5fd916113a5cc0029) +--- + sdm/libs/hwc2/hwc_session.cpp | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/sdm/libs/hwc2/hwc_session.cpp b/sdm/libs/hwc2/hwc_session.cpp +index 5f825c19b..e4b687d6b 100644 +--- a/sdm/libs/hwc2/hwc_session.cpp ++++ b/sdm/libs/hwc2/hwc_session.cpp +@@ -1226,6 +1226,11 @@ android::status_t HWCSession::SetColorModeOverride(const android::Parcel *input_ + auto display = static_cast(input_parcel->readInt32()); + auto mode = static_cast(input_parcel->readInt32()); + auto device = static_cast(this); ++ ++ if (display > HWC_DISPLAY_VIRTUAL) { ++ return -EINVAL; ++ } ++ + auto err = CallDisplayFunction(device, display, &HWCDisplay::SetColorMode, mode); + if (err != HWC2_ERROR_NONE) + return -EINVAL; diff --git a/Patches/LineageOS-14.1/android_hardware_qcom_display/229952.patch b/Patches/LineageOS-14.1/android_hardware_qcom_display/229952.patch new file mode 100644 index 00000000..af420921 --- /dev/null +++ b/Patches/LineageOS-14.1/android_hardware_qcom_display/229952.patch @@ -0,0 +1,46 @@ +From 0d2fd535bedf567d8ec9adee5e5e5645164558f4 Mon Sep 17 00:00:00 2001 +From: Courtney Goeltzenleuchter +Date: Thu, 24 May 2018 08:23:55 -0600 +Subject: [PATCH] Fix Buffer Overflow in Vendor Service display.qservice + +Bug: 63145942 +Test: adb shell vndservice call display.qservice 36 s16 sdlkfjsadlfkjasdf +Change-Id: I3fdf5ccd2bf4ed0fa980883fefdb57eb5fbfeee7 +(cherry picked from commit 4050091844ccd427587024e5fd916113a5cc0029) +--- + msm8996/sdm/libs/hwc2/hwc_session.cpp | 5 +++++ + msm8998/sdm/libs/hwc2/hwc_session.cpp | 5 +++++ + 2 files changed, 10 insertions(+) + +diff --git a/msm8996/sdm/libs/hwc2/hwc_session.cpp b/msm8996/sdm/libs/hwc2/hwc_session.cpp +index e4d6cacda..6af85417c 100644 +--- a/msm8996/sdm/libs/hwc2/hwc_session.cpp ++++ b/msm8996/sdm/libs/hwc2/hwc_session.cpp +@@ -1215,6 +1215,11 @@ android::status_t HWCSession::SetColorModeOverride(const android::Parcel *input_ + auto display = static_cast(input_parcel->readInt32()); + auto mode = static_cast(input_parcel->readInt32()); + auto device = static_cast(this); ++ ++ if (display > HWC_DISPLAY_VIRTUAL) { ++ return -EINVAL; ++ } ++ + auto err = CallDisplayFunction(device, display, &HWCDisplay::SetColorMode, mode); + if (err != HWC2_ERROR_NONE) + return -EINVAL; +diff --git a/msm8998/sdm/libs/hwc2/hwc_session.cpp b/msm8998/sdm/libs/hwc2/hwc_session.cpp +index 96111d9f3..01c6d367b 100644 +--- a/msm8998/sdm/libs/hwc2/hwc_session.cpp ++++ b/msm8998/sdm/libs/hwc2/hwc_session.cpp +@@ -1214,6 +1214,11 @@ android::status_t HWCSession::SetColorModeOverride(const android::Parcel *input_ + auto display = static_cast(input_parcel->readInt32()); + auto mode = static_cast(input_parcel->readInt32()); + auto device = static_cast(this); ++ ++ if (display > HWC_DISPLAY_VIRTUAL) { ++ return -EINVAL; ++ } ++ + auto err = CallDisplayFunction(device, display, &HWCDisplay::SetColorMode, mode); + if (err != HWC2_ERROR_NONE) + return -EINVAL; diff --git a/Patches/LineageOS-14.1/android_hardware_qcom_media/227620.patch b/Patches/LineageOS-14.1/android_hardware_qcom_media/227620.patch new file mode 100644 index 00000000..d862f1d4 --- /dev/null +++ b/Patches/LineageOS-14.1/android_hardware_qcom_media/227620.patch @@ -0,0 +1,186 @@ +From ad22eabfe9abb5196bbf0136371e849a46142bc0 Mon Sep 17 00:00:00 2001 +From: Santhosh Behara +Date: Tue, 15 May 2018 06:09:50 -0700 +Subject: [PATCH] mm-video-v4l2: Protect buffer access and increase input + buffer size + +Protect buffer access for below scenarios: + +*Increase the scope of buf_lock in free_buffer to avoid access + of freed buffer for both input and output buffers. Also, add check + before output buffer access. + +*Disallow allocate buffer mode after client has called use buffer. + +Allocate additional 512 bytes of memory for input buffers on top of +allocation size as per hardware requirement. + +Bug: 64340487 +Test: ran POC on bullhead/nyc-dev +Change-Id: Iabbb2d7e00ff97bfc47b04386feec66976fca99a +(cherry picked from commit 83aeab22d1bdc493b3ea2f50616bb8fd460d6c74) +--- + mm-video-v4l2/vidc/vdec/inc/omx_vdec.h | 3 +- + .../vidc/vdec/src/omx_vdec_msm8974.cpp | 33 +++++++++++++++---- + 2 files changed, 28 insertions(+), 8 deletions(-) + +diff --git a/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h b/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h +index 9b01376d5..07cbcc772 100644 +--- a/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h ++++ b/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h +@@ -1,5 +1,5 @@ + /*-------------------------------------------------------------------------- +-Copyright (c) 2010 - 2014, The Linux Foundation. All rights reserved. ++Copyright (c) 2010 - 2014, 2018, The Linux Foundation. All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions +@@ -1066,6 +1066,7 @@ class omx_vdec: public qc_omx_component + } + + static OMX_ERRORTYPE describeColorFormat(OMX_PTR params); ++ bool m_buffer_error; + }; + + #ifdef _MSM8974_ +diff --git a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp +index ccfb8c2d2..b887b72bd 100644 +--- a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp ++++ b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp +@@ -1,5 +1,5 @@ + /*-------------------------------------------------------------------------- +-Copyright (c) 2010 - 2014, The Linux Foundation. All rights reserved. ++Copyright (c) 2010 - 2014, 2018, The Linux Foundation. All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: +@@ -574,7 +574,8 @@ omx_vdec::omx_vdec(): m_error_propogated(false), + m_profile(0), + client_set_fps(false), + m_last_rendered_TS(-1), +- m_queued_codec_config_count(0) ++ m_queued_codec_config_count(0), ++ m_buffer_error(false) + { + /* Assumption is that , to begin with , we have all the frames with decoder */ + DEBUG_PRINT_HIGH("In OMX vdec Constructor"); +@@ -4490,6 +4491,7 @@ OMX_ERRORTYPE omx_vdec::use_output_buffer( + eRet = allocate_output_headers(); + if (eRet == OMX_ErrorNone) + eRet = allocate_extradata(); ++ output_use_buffer = true; + } + + if (eRet == OMX_ErrorNone) { +@@ -4892,7 +4894,6 @@ OMX_ERRORTYPE omx_vdec::free_input_buffer(OMX_BUFFERHEADERTYPE *bufferHdr) + index = bufferHdr - m_inp_mem_ptr; + DEBUG_PRINT_LOW("Free Input Buffer index = %d",index); + +- auto_lock l(buf_lock); + bufferHdr->pInputPortPrivate = NULL; + + if (index < drv_ctx.ip_buf.actualcount && drv_ctx.ptr_inputbuffer) { +@@ -5102,6 +5103,7 @@ OMX_ERRORTYPE omx_vdec::allocate_input_buffer( + unsigned i = 0; + unsigned char *buf_addr = NULL; + int pmem_fd = -1; ++ unsigned int align_size = 0; + + if (bytes != drv_ctx.ip_buf.buffer_size) { + DEBUG_PRINT_LOW("Requested Size is wrong %lu epected is %d", +@@ -5157,8 +5159,10 @@ OMX_ERRORTYPE omx_vdec::allocate_input_buffer( + int rc; + DEBUG_PRINT_LOW("Allocate input Buffer"); + #ifdef USE_ION ++ align_size = drv_ctx.ip_buf.buffer_size + 512; ++ align_size = (align_size + drv_ctx.ip_buf.alignment - 1)&(~(drv_ctx.ip_buf.alignment - 1)); + drv_ctx.ip_buf_ion_info[i].ion_device_fd = alloc_map_ion_memory( +- drv_ctx.ip_buf.buffer_size,drv_ctx.op_buf.alignment, ++ align_size, drv_ctx.op_buf.alignment, + &drv_ctx.ip_buf_ion_info[i].ion_alloc_data, + &drv_ctx.ip_buf_ion_info[i].fd_ion_data, secure_mode ? ION_SECURE : 0); + if (drv_ctx.ip_buf_ion_info[i].ion_device_fd < 0) { +@@ -5639,6 +5643,10 @@ OMX_ERRORTYPE omx_vdec::allocate_buffer(OMX_IN OMX_HANDLETYPE hC + eRet = allocate_input_buffer(hComp,bufferHdr,port,appData,bytes); + } + } else if (port == OMX_CORE_OUTPUT_PORT_INDEX) { ++ if (output_use_buffer) { ++ DEBUG_PRINT_ERROR("Allocate output buffer not allowed after use buffer"); ++ return OMX_ErrorBadParameter; ++ } + eRet = client_buffers.allocate_buffers_color_convert(hComp,bufferHdr,port, + appData,bytes); + } else { +@@ -5698,6 +5706,7 @@ OMX_ERRORTYPE omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE hComp __unuse + unsigned int nPortIndex; + DEBUG_PRINT_LOW("In for decoder free_buffer"); + ++ auto_lock l(buf_lock); + if (m_state == OMX_StateIdle && + (BITMASK_PRESENT(&m_flags ,OMX_COMPONENT_LOADING_PENDING))) { + DEBUG_PRINT_LOW(" free buffer while Component in Loading pending"); +@@ -5714,7 +5723,7 @@ OMX_ERRORTYPE omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE hComp __unuse + post_event(OMX_EventError, + OMX_ErrorPortUnpopulated, + OMX_COMPONENT_GENERATE_EVENT); +- ++ m_buffer_error = true; + return OMX_ErrorIncorrectStateOperation; + } else if (m_state != OMX_StateInvalid) { + DEBUG_PRINT_ERROR("Invalid state to free buffer,port lost Buffers"); +@@ -5722,7 +5731,6 @@ OMX_ERRORTYPE omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE hComp __unuse + OMX_ErrorPortUnpopulated, + OMX_COMPONENT_GENERATE_EVENT); + } +- + if (port == OMX_CORE_INPUT_PORT_INDEX) { + /*Check if arbitrary bytes*/ + if (!arbitrary_bytes && !input_use_buffer) +@@ -5819,6 +5827,7 @@ OMX_ERRORTYPE omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE hComp __unuse + BITMASK_CLEAR((&m_flags),OMX_COMPONENT_LOADING_PENDING); + post_event(OMX_CommandStateSet, OMX_StateLoaded, + OMX_COMPONENT_GENERATE_EVENT); ++ m_buffer_error = false; + } + } + return eRet; +@@ -5982,6 +5991,11 @@ OMX_ERRORTYPE omx_vdec::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE h + if (!temp_buffer || (temp_buffer - drv_ctx.ptr_inputbuffer) > (int)drv_ctx.ip_buf.actualcount) { + return OMX_ErrorBadParameter; + } ++ ++ if (BITMASK_ABSENT(&m_inp_bm_count, nPortIndex) || m_buffer_error) { ++ DEBUG_PRINT_ERROR("ETBProxy: ERROR: invalid buffer, nPortIndex %u", nPortIndex); ++ return OMX_ErrorBadParameter; ++ } + /* If its first frame, H264 codec and reject is true, then parse the nal + and get the profile. Based on this, reject the clip playback */ + if (first_frame == 0 && codec_type_parse == CODEC_TYPE_H264 && +@@ -6268,6 +6282,7 @@ OMX_ERRORTYPE omx_vdec::fill_this_buffer_proxy( + struct vdec_bufferpayload *ptr_outputbuffer = NULL; + struct vdec_output_frameinfo *ptr_respbuffer = NULL; + ++ auto_lock l(buf_lock); + nPortIndex = buffer-((OMX_BUFFERHEADERTYPE *)client_buffers.get_il_buf_hdr()); + + if (bufferAdd == NULL || nPortIndex >= drv_ctx.op_buf.actualcount) { +@@ -6276,6 +6291,10 @@ OMX_ERRORTYPE omx_vdec::fill_this_buffer_proxy( + return OMX_ErrorBadParameter; + } + ++ if (BITMASK_ABSENT(&m_out_bm_count, nPortIndex) || m_buffer_error) { ++ DEBUG_PRINT_ERROR("FTBProxy: ERROR: invalid buffer, nPortIndex %u", nPortIndex); ++ return OMX_ErrorBadParameter; ++ } + DEBUG_PRINT_LOW("FTBProxy: bufhdr = %p, bufhdr->pBuffer = %p", + bufferAdd, bufferAdd->pBuffer); + /*Return back the output buffer to client*/ +@@ -7417,7 +7436,7 @@ int omx_vdec::async_message_process (void *context, void* message) + output_respbuf->pic_type = PICTURE_TYPE_B; + } + +- if (omx->output_use_buffer) ++ if (!omx->m_enable_android_native_buffers && omx->output_use_buffer) + memcpy ( omxhdr->pBuffer, (void *) + ((unsigned long)vdec_msg->msgdata.output_frame.bufferaddr + + (unsigned long)vdec_msg->msgdata.output_frame.offset), diff --git a/Patches/LineageOS-14.1/android_hardware_qcom_media/227622.patch b/Patches/LineageOS-14.1/android_hardware_qcom_media/227622.patch new file mode 100644 index 00000000..16fb942b --- /dev/null +++ b/Patches/LineageOS-14.1/android_hardware_qcom_media/227622.patch @@ -0,0 +1,192 @@ +From 742cf6ad5c74b71063af755b7ef7df2a3a2f19a3 Mon Sep 17 00:00:00 2001 +From: Santhosh Behara +Date: Tue, 15 May 2018 06:09:50 -0700 +Subject: [PATCH] mm-video-v4l2: Protect buffer access and increase input + buffer size + +Protect buffer access for below scenarios: + +*Increase the scope of buf_lock in free_buffer to avoid access + of freed buffer for both input and output buffers. Also, add check + before output buffer access. + +*Disallow allocate buffer mode after client has called use buffer. + +Allocate additional 512 bytes of memory for input buffers on top of +allocation size as per hardware requirement. + +Bug: 64340487 +Test: ran POC on bullhead/nyc-dev +Change-Id: Iabbb2d7e00ff97bfc47b04386feec66976fca99a +(cherry picked from commit 83aeab22d1bdc493b3ea2f50616bb8fd460d6c74) +--- + mm-video-v4l2/vidc/vdec/inc/omx_vdec.h | 3 +- + .../vidc/vdec/src/omx_vdec_msm8974.cpp | 34 +++++++++++++++---- + 2 files changed, 29 insertions(+), 8 deletions(-) + +diff --git a/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h b/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h +index 59f81a7c4..a34675507 100644 +--- a/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h ++++ b/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h +@@ -1,5 +1,5 @@ + /*-------------------------------------------------------------------------- +-Copyright (c) 2010 - 2015, The Linux Foundation. All rights reserved. ++Copyright (c) 2010 - 2015, 2018, The Linux Foundation. All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions +@@ -1171,6 +1171,7 @@ class omx_vdec: public qc_omx_component + } + }; + client_extradata_info m_client_extradata_info; ++ bool m_buffer_error; + }; + + #ifdef _MSM8974_ +diff --git a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp +index d1311f6ce..11b882aac 100644 +--- a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp ++++ b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp +@@ -1,5 +1,5 @@ + /*-------------------------------------------------------------------------- +-Copyright (c) 2010 - 2015, The Linux Foundation. All rights reserved. ++Copyright (c) 2010 - 2015, 2018, The Linux Foundation. All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: +@@ -596,7 +596,8 @@ omx_vdec::omx_vdec(): m_error_propogated(false), + stereo_output_mode(HAL_NO_3D), + m_last_rendered_TS(-1), + m_queued_codec_config_count(0), +- secure_scaling_to_non_secure_opb(false) ++ secure_scaling_to_non_secure_opb(false), ++ m_buffer_error(false) + { + /* Assumption is that , to begin with , we have all the frames with decoder */ + DEBUG_PRINT_HIGH("In %u bit OMX vdec Constructor", (unsigned int)sizeof(long) * 8); +@@ -4753,6 +4754,7 @@ OMX_ERRORTYPE omx_vdec::use_output_buffer( + eRet = allocate_output_headers(); + if (eRet == OMX_ErrorNone) + eRet = allocate_extradata(); ++ output_use_buffer = true; + } + + if (eRet == OMX_ErrorNone) { +@@ -5168,7 +5170,6 @@ OMX_ERRORTYPE omx_vdec::free_input_buffer(OMX_BUFFERHEADERTYPE *bufferHdr) + index = bufferHdr - m_inp_mem_ptr; + DEBUG_PRINT_LOW("Free Input Buffer index = %d",index); + +- auto_lock l(buf_lock); + bufferHdr->pInputPortPrivate = NULL; + + if (index < drv_ctx.ip_buf.actualcount && drv_ctx.ptr_inputbuffer) { +@@ -5374,11 +5375,13 @@ OMX_ERRORTYPE omx_vdec::allocate_input_buffer( + unsigned i = 0; + unsigned char *buf_addr = NULL; + int pmem_fd = -1; ++ unsigned int align_size = 0; + + (void) hComp; + (void) port; + + ++ + if (bytes != drv_ctx.ip_buf.buffer_size) { + DEBUG_PRINT_LOW("Requested Size is wrong %u epected is %u", + (unsigned int)bytes, (unsigned int)drv_ctx.ip_buf.buffer_size); +@@ -5433,8 +5436,10 @@ OMX_ERRORTYPE omx_vdec::allocate_input_buffer( + int rc; + DEBUG_PRINT_LOW("Allocate input Buffer"); + #ifdef USE_ION ++ align_size = drv_ctx.ip_buf.buffer_size + 512; ++ align_size = (align_size + drv_ctx.ip_buf.alignment - 1)&(~(drv_ctx.ip_buf.alignment - 1)); + drv_ctx.ip_buf_ion_info[i].ion_device_fd = alloc_map_ion_memory( +- drv_ctx.ip_buf.buffer_size,drv_ctx.op_buf.alignment, ++ align_size, drv_ctx.op_buf.alignment, + &drv_ctx.ip_buf_ion_info[i].ion_alloc_data, + &drv_ctx.ip_buf_ion_info[i].fd_ion_data, secure_mode ? ION_SECURE : ION_FLAG_CACHED); + if (drv_ctx.ip_buf_ion_info[i].ion_device_fd < 0) { +@@ -5927,6 +5932,10 @@ OMX_ERRORTYPE omx_vdec::allocate_buffer(OMX_IN OMX_HANDLETYPE hC + eRet = allocate_input_buffer(hComp,bufferHdr,port,appData,bytes); + } + } else if (port == OMX_CORE_OUTPUT_PORT_INDEX) { ++ if (output_use_buffer) { ++ DEBUG_PRINT_ERROR("Allocate output buffer not allowed after use buffer"); ++ return OMX_ErrorBadParameter; ++ } + eRet = client_buffers.allocate_buffers_color_convert(hComp,bufferHdr,port, + appData,bytes); + } else { +@@ -5987,6 +5996,7 @@ OMX_ERRORTYPE omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE hComp, + (void) hComp; + DEBUG_PRINT_LOW("In for decoder free_buffer"); + ++ auto_lock l(buf_lock); + if (m_state == OMX_StateIdle && + (BITMASK_PRESENT(&m_flags ,OMX_COMPONENT_LOADING_PENDING))) { + DEBUG_PRINT_LOW(" free buffer while Component in Loading pending"); +@@ -6003,7 +6013,7 @@ OMX_ERRORTYPE omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE hComp, + post_event(OMX_EventError, + OMX_ErrorPortUnpopulated, + OMX_COMPONENT_GENERATE_EVENT); +- ++ m_buffer_error = true; + return OMX_ErrorIncorrectStateOperation; + } else if (m_state != OMX_StateInvalid) { + DEBUG_PRINT_ERROR("Invalid state to free buffer,port lost Buffers"); +@@ -6011,7 +6021,6 @@ OMX_ERRORTYPE omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE hComp, + OMX_ErrorPortUnpopulated, + OMX_COMPONENT_GENERATE_EVENT); + } +- + if (port == OMX_CORE_INPUT_PORT_INDEX) { + /*Check if arbitrary bytes*/ + if (!arbitrary_bytes && !input_use_buffer) +@@ -6108,6 +6117,7 @@ OMX_ERRORTYPE omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE hComp, + BITMASK_CLEAR((&m_flags),OMX_COMPONENT_LOADING_PENDING); + post_event(OMX_CommandStateSet, OMX_StateLoaded, + OMX_COMPONENT_GENERATE_EVENT); ++ m_buffer_error = false; + } + } + return eRet; +@@ -6281,6 +6291,11 @@ OMX_ERRORTYPE omx_vdec::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE hComp, + if (!temp_buffer || (temp_buffer - drv_ctx.ptr_inputbuffer) > (int)drv_ctx.ip_buf.actualcount) { + return OMX_ErrorBadParameter; + } ++ ++ if (BITMASK_ABSENT(&m_inp_bm_count, nPortIndex) || m_buffer_error) { ++ DEBUG_PRINT_ERROR("ETBProxy: ERROR: invalid buffer, nPortIndex %u", nPortIndex); ++ return OMX_ErrorBadParameter; ++ } + /* If its first frame, H264 codec and reject is true, then parse the nal + and get the profile. Based on this, reject the clip playback */ + if (first_frame == 0 && codec_type_parse == CODEC_TYPE_H264 && +@@ -6568,6 +6583,7 @@ OMX_ERRORTYPE omx_vdec::fill_this_buffer_proxy( + struct vdec_bufferpayload *ptr_outputbuffer = NULL; + struct vdec_output_frameinfo *ptr_respbuffer = NULL; + ++ auto_lock l(buf_lock); + nPortIndex = buffer-((OMX_BUFFERHEADERTYPE *)client_buffers.get_il_buf_hdr()); + + if (bufferAdd == NULL || nPortIndex >= drv_ctx.op_buf.actualcount) { +@@ -6576,6 +6592,10 @@ OMX_ERRORTYPE omx_vdec::fill_this_buffer_proxy( + return OMX_ErrorBadParameter; + } + ++ if (BITMASK_ABSENT(&m_out_bm_count, nPortIndex) || m_buffer_error) { ++ DEBUG_PRINT_ERROR("FTBProxy: ERROR: invalid buffer, nPortIndex %u", nPortIndex); ++ return OMX_ErrorBadParameter; ++ } + DEBUG_PRINT_LOW("FTBProxy: bufhdr = %p, bufhdr->pBuffer = %p", + bufferAdd, bufferAdd->pBuffer); + /*Return back the output buffer to client*/ +@@ -7762,7 +7782,7 @@ int omx_vdec::async_message_process (void *context, void* message) + output_respbuf->pic_type = PICTURE_TYPE_B; + } + +- if (omx->output_use_buffer) ++ if (!omx->m_enable_android_native_buffers && omx->output_use_buffer) + memcpy ( omxhdr->pBuffer, (void *) + ((unsigned long)vdec_msg->msgdata.output_frame.bufferaddr + + (unsigned long)vdec_msg->msgdata.output_frame.offset), diff --git a/Patches/LineageOS-14.1/android_hardware_qcom_media/229950.patch b/Patches/LineageOS-14.1/android_hardware_qcom_media/229950.patch new file mode 100644 index 00000000..ceaa5fed --- /dev/null +++ b/Patches/LineageOS-14.1/android_hardware_qcom_media/229950.patch @@ -0,0 +1,179 @@ +From f42b03df24d3acd5caaa2628c206c591ccc023eb Mon Sep 17 00:00:00 2001 +From: Ray Essick +Date: Mon, 2 Jul 2018 16:00:09 -0700 +Subject: [PATCH] mm-video-v4l2: Protect buffer access and increase input + buffer size + +Protect buffer access for below scenarios: + +*Increase the scope of buf_lock in free_buffer to avoid access + of freed buffer for both input and output buffers. Also, add check + before output buffer access. + +*Disallow allocate buffer mode after client has called use buffer. + +Allocate additional 512 bytes of memory for input buffers on top of +allocation size as per hardware requirement. + +Bug: 64340487 +Test: ran POC on sailfish/nyc-mr1-dev +Change-Id: Ic13b511b2d1c46e0b158880c41c9a02e2fefd113 +Merged-In: Id699404d6c276c8702826d79b3a6ba9755b3439f +(cherry picked from commit 660db9e9708872f9a407ac14e92a5017599ced34) +--- + .../mm-video-v4l2/vidc/vdec/inc/omx_vdec.h | 3 +- + .../vidc/vdec/src/omx_vdec_v4l2.cpp | 32 +++++++++++++++---- + 2 files changed, 28 insertions(+), 7 deletions(-) + +diff --git a/msm8996/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h b/msm8996/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h +index d400fc39e..f0958b166 100644 +--- a/msm8996/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h ++++ b/msm8996/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h +@@ -1,5 +1,5 @@ + /*-------------------------------------------------------------------------- +-Copyright (c) 2010 - 2016, The Linux Foundation. All rights reserved. ++Copyright (c) 2010 - 2016, 2018, The Linux Foundation. All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions +@@ -1173,6 +1173,7 @@ class omx_vdec: public qc_omx_component + static OMX_ERRORTYPE describeColorFormat(OMX_PTR params); + void prefetchNewBuffers(); + ++ bool m_buffer_error; + }; + + #ifdef _MSM8974_ +diff --git a/msm8996/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp b/msm8996/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp +index 9d041e990..003cd9b56 100644 +--- a/msm8996/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp ++++ b/msm8996/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp +@@ -1,5 +1,5 @@ + /*-------------------------------------------------------------------------- +-Copyright (c) 2010 - 2016, The Linux Foundation. All rights reserved. ++Copyright (c) 2010 - 2016, 2018, The Linux Foundation. All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: +@@ -647,7 +647,8 @@ omx_vdec::omx_vdec(): m_error_propogated(false), + m_queued_codec_config_count(0), + current_perf_level(V4L2_CID_MPEG_VIDC_PERF_LEVEL_NOMINAL), + secure_scaling_to_non_secure_opb(false), +- m_force_compressed_for_dpb(false) ++ m_force_compressed_for_dpb(false), ++ m_buffer_error(false) + { + m_pipe_in = -1; + m_pipe_out = -1; +@@ -5525,6 +5526,7 @@ OMX_ERRORTYPE omx_vdec::use_output_buffer( + eRet = allocate_output_headers(); + if (eRet == OMX_ErrorNone) + eRet = allocate_extradata(); ++ output_use_buffer = true; + } + + if (eRet == OMX_ErrorNone) { +@@ -5947,7 +5949,6 @@ OMX_ERRORTYPE omx_vdec::free_input_buffer(OMX_BUFFERHEADERTYPE *bufferHdr) + index = bufferHdr - m_inp_mem_ptr; + DEBUG_PRINT_LOW("Free Input Buffer index = %d",index); + +- auto_lock l(buf_lock); + bufferHdr->pInputPortPrivate = NULL; + + if (index < drv_ctx.ip_buf.actualcount && drv_ctx.ptr_inputbuffer) { +@@ -6156,6 +6157,7 @@ OMX_ERRORTYPE omx_vdec::allocate_input_buffer( + unsigned i = 0; + unsigned char *buf_addr = NULL; + int pmem_fd = -1; ++ unsigned int align_size = 0; + + (void) hComp; + (void) port; +@@ -6215,8 +6217,10 @@ OMX_ERRORTYPE omx_vdec::allocate_input_buffer( + int rc; + DEBUG_PRINT_LOW("Allocate input Buffer"); + #ifdef USE_ION ++ align_size = drv_ctx.ip_buf.buffer_size + 512; ++ align_size = (align_size + drv_ctx.ip_buf.alignment - 1)&(~(drv_ctx.ip_buf.alignment - 1)); + drv_ctx.ip_buf_ion_info[i].ion_device_fd = alloc_map_ion_memory( +- drv_ctx.ip_buf.buffer_size,drv_ctx.op_buf.alignment, ++ align_size, drv_ctx.op_buf.alignment, + &drv_ctx.ip_buf_ion_info[i].ion_alloc_data, + &drv_ctx.ip_buf_ion_info[i].fd_ion_data, secure_mode ? + SECURE_FLAGS_INPUT_BUFFER : ION_FLAG_CACHED); +@@ -6704,6 +6708,10 @@ OMX_ERRORTYPE omx_vdec::allocate_buffer(OMX_IN OMX_HANDLETYPE hC + eRet = allocate_input_buffer(hComp,bufferHdr,port,appData,bytes); + } + } else if (port == OMX_CORE_OUTPUT_PORT_INDEX) { ++ if (output_use_buffer) { ++ DEBUG_PRINT_ERROR("Allocate output buffer not allowed after use buffer"); ++ return OMX_ErrorBadParameter; ++ } + eRet = client_buffers.allocate_buffers_color_convert(hComp,bufferHdr,port, + appData,bytes); + } else { +@@ -6764,6 +6772,7 @@ OMX_ERRORTYPE omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE hComp, + (void) hComp; + DEBUG_PRINT_LOW("In for decoder free_buffer"); + ++ auto_lock l(buf_lock); + if (m_state == OMX_StateIdle && + (BITMASK_PRESENT(&m_flags ,OMX_COMPONENT_LOADING_PENDING))) { + DEBUG_PRINT_LOW(" free buffer while Component in Loading pending"); +@@ -6780,7 +6789,7 @@ OMX_ERRORTYPE omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE hComp, + post_event(OMX_EventError, + OMX_ErrorPortUnpopulated, + OMX_COMPONENT_GENERATE_EVENT); +- ++ m_buffer_error = true; + return OMX_ErrorIncorrectStateOperation; + } else if (m_state != OMX_StateInvalid) { + DEBUG_PRINT_ERROR("Invalid state to free buffer,port lost Buffers"); +@@ -6885,6 +6894,7 @@ OMX_ERRORTYPE omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE hComp, + BITMASK_CLEAR((&m_flags),OMX_COMPONENT_LOADING_PENDING); + post_event(OMX_CommandStateSet, OMX_StateLoaded, + OMX_COMPONENT_GENERATE_EVENT); ++ m_buffer_error = false; + } + } + return eRet; +@@ -7054,6 +7064,11 @@ OMX_ERRORTYPE omx_vdec::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE hComp, + if (!temp_buffer || (temp_buffer - drv_ctx.ptr_inputbuffer) > (int)drv_ctx.ip_buf.actualcount) { + return OMX_ErrorBadParameter; + } ++ ++ if (BITMASK_ABSENT(&m_inp_bm_count, nPortIndex) || m_buffer_error) { ++ DEBUG_PRINT_ERROR("ETBProxy: ERROR: invalid buffer, nPortIndex %u", nPortIndex); ++ return OMX_ErrorBadParameter; ++ } + /* If its first frame, H264 codec and reject is true, then parse the nal + and get the profile. Based on this, reject the clip playback */ + if (first_frame == 0 && codec_type_parse == CODEC_TYPE_H264 && +@@ -7343,6 +7358,7 @@ OMX_ERRORTYPE omx_vdec::fill_this_buffer_proxy( + struct vdec_bufferpayload *ptr_outputbuffer = NULL; + struct vdec_output_frameinfo *ptr_respbuffer = NULL; + ++ auto_lock l(buf_lock); + nPortIndex = buffer-((OMX_BUFFERHEADERTYPE *)client_buffers.get_il_buf_hdr()); + + if (bufferAdd == NULL || nPortIndex >= drv_ctx.op_buf.actualcount) { +@@ -7351,6 +7367,10 @@ OMX_ERRORTYPE omx_vdec::fill_this_buffer_proxy( + return OMX_ErrorBadParameter; + } + ++ if (BITMASK_ABSENT(&m_out_bm_count, nPortIndex) || m_buffer_error) { ++ DEBUG_PRINT_ERROR("FTBProxy: ERROR: invalid buffer, nPortIndex %u", nPortIndex); ++ return OMX_ErrorBadParameter; ++ } + DEBUG_PRINT_LOW("FTBProxy: bufhdr = %p, bufhdr->pBuffer = %p", + bufferAdd, bufferAdd->pBuffer); + /*Return back the output buffer to client*/ +@@ -8624,7 +8644,7 @@ int omx_vdec::async_message_process (void *context, void* message) + if (omxhdr && omxhdr->nFilledLen) { + omx->request_perf_level(VIDC_NOMINAL); + } +- if (omx->output_use_buffer && omxhdr->pBuffer && ++ if (!omx->m_enable_android_native_buffers && omx->output_use_buffer && omxhdr->pBuffer && + vdec_msg->msgdata.output_frame.bufferaddr) + memcpy ( omxhdr->pBuffer, (void *) + ((unsigned long)vdec_msg->msgdata.output_frame.bufferaddr + diff --git a/Patches/LineageOS-14.1/android_hardware_qcom_media/229951.patch b/Patches/LineageOS-14.1/android_hardware_qcom_media/229951.patch new file mode 100644 index 00000000..9c298d5f --- /dev/null +++ b/Patches/LineageOS-14.1/android_hardware_qcom_media/229951.patch @@ -0,0 +1,175 @@ +From 603c2ff8064e479640a45c04f0f9a307e465f63d Mon Sep 17 00:00:00 2001 +From: Ray Essick +Date: Fri, 29 Jun 2018 14:12:19 -0700 +Subject: [PATCH] mm-video-v4l2: Squash below changes + +mm-video-v4l2: Protect buffer access and increase input buffer size + +Protect buffer access for below scenarios: +*Increase the scope of buf_lock in free_buffer to avoid access + of freed buffer for both input and output buffers. Also, add check + before output buffer access. +*Disallow allocate buffer mode after client has called use buffer. +Allocate additional 512 bytes of memory for input buffers on top of +allocation size as per hardware requirement. + +mm-video-v4l2: correct the buffer error flag setting + +The buffer error flag setting is corrected in free_buffer() +call + +Bug: 64340487 +Test: poc from bug +Change-Id: I8a28d86135f2fc39a45a6a07355845327dec2dfa +Merged-In: I32d6cb7f61b873edd567881d1bf3e620cd78e715 +(cherry picked from commit 808b94b164c39d75d78481f301151fc299b201cc) +--- + .../mm-video-v4l2/vidc/vdec/inc/omx_vdec.h | 3 +- + .../vidc/vdec/src/omx_vdec_v4l2.cpp | 30 +++++++++++++++---- + 2 files changed, 27 insertions(+), 6 deletions(-) + +diff --git a/msm8998/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h b/msm8998/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h +index 05d6bc777..21f4c20fa 100644 +--- a/msm8998/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h ++++ b/msm8998/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h +@@ -1,5 +1,5 @@ + /*-------------------------------------------------------------------------- +-Copyright (c) 2010 - 2016, The Linux Foundation. All rights reserved. ++Copyright (c) 2010 - 2018, The Linux Foundation. All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions +@@ -1275,6 +1275,7 @@ class omx_vdec: public qc_omx_component + } + }; + client_extradata_info m_client_extradata_info; ++ bool m_buffer_error; + }; + + #ifdef _MSM8974_ +diff --git a/msm8998/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp b/msm8998/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp +index 99b0c6e78..cfb72d83b 100644 +--- a/msm8998/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp ++++ b/msm8998/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp +@@ -668,7 +668,8 @@ omx_vdec::omx_vdec(): m_error_propogated(false), + current_perf_level(V4L2_CID_MPEG_VIDC_PERF_LEVEL_NOMINAL), + secure_scaling_to_non_secure_opb(false), + m_force_compressed_for_dpb(true), +- m_is_display_session(false) ++ m_is_display_session(false), ++ m_buffer_error(false) + { + m_pipe_in = -1; + m_pipe_out = -1; +@@ -5823,6 +5824,7 @@ OMX_ERRORTYPE omx_vdec::use_output_buffer( + eRet = allocate_output_headers(); + if (eRet == OMX_ErrorNone) + eRet = allocate_extradata(); ++ output_use_buffer = true; + } + + if (eRet == OMX_ErrorNone) { +@@ -6245,7 +6247,6 @@ OMX_ERRORTYPE omx_vdec::free_input_buffer(OMX_BUFFERHEADERTYPE *bufferHdr) + index = bufferHdr - m_inp_mem_ptr; + DEBUG_PRINT_LOW("Free Input Buffer index = %d",index); + +- auto_lock l(buf_lock); + bufferHdr->pInputPortPrivate = NULL; + + if (index < drv_ctx.ip_buf.actualcount && drv_ctx.ptr_inputbuffer) { +@@ -6459,6 +6460,7 @@ OMX_ERRORTYPE omx_vdec::allocate_input_buffer( + unsigned i = 0; + unsigned char *buf_addr = NULL; + int pmem_fd = -1; ++ unsigned int align_size = 0; + + (void) hComp; + (void) port; +@@ -6518,8 +6520,10 @@ OMX_ERRORTYPE omx_vdec::allocate_input_buffer( + int rc; + DEBUG_PRINT_LOW("Allocate input Buffer"); + #ifdef USE_ION ++ align_size = drv_ctx.ip_buf.buffer_size + 512; ++ align_size = (align_size + drv_ctx.ip_buf.alignment - 1)&(~(drv_ctx.ip_buf.alignment - 1)); + drv_ctx.ip_buf_ion_info[i].ion_device_fd = alloc_map_ion_memory( +- drv_ctx.ip_buf.buffer_size,drv_ctx.op_buf.alignment, ++ align_size, drv_ctx.op_buf.alignment, + &drv_ctx.ip_buf_ion_info[i].ion_alloc_data, + &drv_ctx.ip_buf_ion_info[i].fd_ion_data, secure_mode ? + SECURE_FLAGS_INPUT_BUFFER : ION_FLAG_CACHED); +@@ -7011,6 +7015,10 @@ OMX_ERRORTYPE omx_vdec::allocate_buffer(OMX_IN OMX_HANDLETYPE hC + eRet = allocate_input_buffer(hComp,bufferHdr,port,appData,bytes); + } + } else if (port == OMX_CORE_OUTPUT_PORT_INDEX) { ++ if (output_use_buffer) { ++ DEBUG_PRINT_ERROR("Allocate output buffer not allowed after use buffer"); ++ return OMX_ErrorBadParameter; ++ } + eRet = client_buffers.allocate_buffers_color_convert(hComp,bufferHdr,port, + appData,bytes); + } else { +@@ -7071,6 +7079,7 @@ OMX_ERRORTYPE omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE hComp, + (void) hComp; + DEBUG_PRINT_LOW("In for decoder free_buffer"); + ++ auto_lock l(buf_lock); + if (m_state == OMX_StateIdle && + (BITMASK_PRESENT(&m_flags ,OMX_COMPONENT_LOADING_PENDING))) { + DEBUG_PRINT_LOW(" free buffer while Component in Loading pending"); +@@ -7087,7 +7096,7 @@ OMX_ERRORTYPE omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE hComp, + post_event(OMX_EventError, + OMX_ErrorPortUnpopulated, + OMX_COMPONENT_GENERATE_EVENT); +- ++ m_buffer_error = true; + return OMX_ErrorIncorrectStateOperation; + } else if (m_state != OMX_StateInvalid) { + DEBUG_PRINT_ERROR("Invalid state to free buffer,port lost Buffers"); +@@ -7192,6 +7201,7 @@ OMX_ERRORTYPE omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE hComp, + BITMASK_CLEAR((&m_flags),OMX_COMPONENT_LOADING_PENDING); + post_event(OMX_CommandStateSet, OMX_StateLoaded, + OMX_COMPONENT_GENERATE_EVENT); ++ m_buffer_error = false; + } + } + return eRet; +@@ -7363,6 +7373,11 @@ OMX_ERRORTYPE omx_vdec::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE hComp, + if (!temp_buffer || (temp_buffer - drv_ctx.ptr_inputbuffer) > (int)drv_ctx.ip_buf.actualcount) { + return OMX_ErrorBadParameter; + } ++ ++ if (BITMASK_ABSENT(&m_inp_bm_count, nPortIndex) || m_buffer_error) { ++ DEBUG_PRINT_ERROR("ETBProxy: ERROR: invalid buffer, nPortIndex %u", nPortIndex); ++ return OMX_ErrorBadParameter; ++ } + /* If its first frame, H264 codec and reject is true, then parse the nal + and get the profile. Based on this, reject the clip playback */ + if (first_frame == 0 && codec_type_parse == CODEC_TYPE_H264 && +@@ -7664,6 +7679,7 @@ OMX_ERRORTYPE omx_vdec::fill_this_buffer_proxy( + struct vdec_bufferpayload *ptr_outputbuffer = NULL; + struct vdec_output_frameinfo *ptr_respbuffer = NULL; + ++ auto_lock l(buf_lock); + nPortIndex = buffer-((OMX_BUFFERHEADERTYPE *)client_buffers.get_il_buf_hdr()); + + if (bufferAdd == NULL || nPortIndex >= drv_ctx.op_buf.actualcount) { +@@ -7672,6 +7688,10 @@ OMX_ERRORTYPE omx_vdec::fill_this_buffer_proxy( + return OMX_ErrorBadParameter; + } + ++ if (BITMASK_ABSENT(&m_out_bm_count, nPortIndex) || m_buffer_error) { ++ DEBUG_PRINT_ERROR("FTBProxy: ERROR: invalid buffer, nPortIndex %u", nPortIndex); ++ return OMX_ErrorBadParameter; ++ } + DEBUG_PRINT_LOW("FTBProxy: bufhdr = %p, bufhdr->pBuffer = %p", + bufferAdd, bufferAdd->pBuffer); + /*Return back the output buffer to client*/ +@@ -9032,7 +9052,7 @@ int omx_vdec::async_message_process (void *context, void* message) + if (omxhdr && omxhdr->nFilledLen && !omx->high_fps) { + omx->request_perf_level(VIDC_NOMINAL); + } +- if (omx->output_use_buffer && omxhdr->pBuffer && ++ if (!omx->m_enable_android_native_buffers && omx->output_use_buffer && omxhdr->pBuffer && + vdec_msg->msgdata.output_frame.bufferaddr) + memcpy ( omxhdr->pBuffer, (void *) + ((unsigned long)vdec_msg->msgdata.output_frame.bufferaddr + diff --git a/Scripts/LineageOS-14.1/Functions.sh b/Scripts/LineageOS-14.1/Functions.sh index bf77168c..f8fb072c 100644 --- a/Scripts/LineageOS-14.1/Functions.sh +++ b/Scripts/LineageOS-14.1/Functions.sh @@ -96,7 +96,6 @@ patchWorkspace() { umask 0022; if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/cm"; fi; source build/envsetup.sh; - repopick -ift n_asb_09-2018-qcom; #TODO: move in tree #repopick -it bt-sbc-hd-dualchannel-nougat; repopick -it n-asb-2021-06; repopick -it n-asb-2021-07; diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh index 7ac5529a..8adbd592 100644 --- a/Scripts/LineageOS-14.1/Patch.sh +++ b/Scripts/LineageOS-14.1/Patch.sh @@ -141,6 +141,7 @@ git apply "$DOS_PATCHES_COMMON/android_hardware_qcom_display/CVE-2019-2306-msm89 git apply "$DOS_PATCHES_COMMON/android_hardware_qcom_display/CVE-2019-2306-msm8974.patch" --directory msm8974; git apply "$DOS_PATCHES_COMMON/android_hardware_qcom_display/CVE-2019-2306-msm8994.patch" --directory msm8994; #missing msm8909, msm8996, msm8998 +git apply "$DOS_PATCHES/android_hardware_qcom_display/229952.patch"; #n_asb_09-2018-qcom fi; if enterAndClear "hardware/qcom/display-caf/apq8084"; then @@ -167,10 +168,31 @@ if enterAndClear "hardware/qcom/display-caf/msm8994"; then git apply "$DOS_PATCHES_COMMON/android_hardware_qcom_display/CVE-2019-2306-msm8994.patch"; fi; +if enterAndClear "hardware/qcom/display-caf/msm8996"; then +git apply "$DOS_PATCHES/android_hardware_qcom_display/227623.patch"; #n_asb_09-2018-qcom +fi; + +if enterAndClear "hardware/qcom/display-caf/msm8998"; then +git apply "$DOS_PATCHES/android_hardware_qcom_display/227624.patch"; #n_asb_09-2018-qcom +fi; + if enterAndClear "hardware/qcom/gps"; then git apply "$DOS_PATCHES/android_hardware_qcom_gps/0001-rollover.patch"; #fix week rollover fi; +if enterAndClear "hardware/qcom/media"; then +git apply "$DOS_PATCHES/android_hardware_qcom_media/229950.patch"; #n_asb_09-2018-qcom +git apply "$DOS_PATCHES/android_hardware_qcom_media/229951.patch"; #n_asb_09-2018-qcom +fi; + +if enterAndClear "hardware/qcom/media-caf/apq8084"; then +git apply "$DOS_PATCHES/android_hardware_qcom_media/227620.patch"; #n_asb_09-2018-qcom +fi; + +if enterAndClear "hardware/qcom/media-caf/msm8994"; then +git apply "$DOS_PATCHES/android_hardware_qcom_media/227622.patch"; #n_asb_09-2018-qcom +fi; + if enterAndClear "packages/apps/CMParts"; then rm -rf src/org/cyanogenmod/cmparts/cmstats/ res/xml/anonymous_stats.xml res/xml/preview_data.xml; #Nuke part of CMStats patch -p1 < "$DOS_PATCHES/android_packages_apps_CMParts/0001-Remove_Analytics.patch"; #Remove the rest of CMStats