Move n_asb_09-2018-qcom in tree

This commit is contained in:
Tad 2021-07-09 21:04:08 -04:00
parent 0c53c40b7b
commit 050da06eba
9 changed files with 857 additions and 1 deletions

View File

@ -0,0 +1,28 @@
From 884ada777494cfb80ec77739703d6eef66c40d1e Mon Sep 17 00:00:00 2001
From: Courtney Goeltzenleuchter <courtneygo@google.com>
Date: Thu, 24 May 2018 08:23:55 -0600
Subject: [PATCH] Fix Buffer Overflow in Vendor Service display.qservice
Bug: 63145942
Test: adb shell vndservice call display.qservice 36 s16 sdlkfjsadlfkjasdf
Change-Id: I3fdf5ccd2bf4ed0fa980883fefdb57eb5fbfeee7
(cherry picked from commit 4050091844ccd427587024e5fd916113a5cc0029)
---
sdm/libs/hwc2/hwc_session.cpp | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/sdm/libs/hwc2/hwc_session.cpp b/sdm/libs/hwc2/hwc_session.cpp
index d3c13eee9..90aa4f219 100644
--- a/sdm/libs/hwc2/hwc_session.cpp
+++ b/sdm/libs/hwc2/hwc_session.cpp
@@ -1240,6 +1240,10 @@ android::status_t HWCSession::SetColorModeOverride(const android::Parcel *input_
auto mode = static_cast<android_color_mode_t>(input_parcel->readInt32());
auto device = static_cast<hwc2_device_t *>(this);
+ if (display > HWC_DISPLAY_VIRTUAL) {
+ return -EINVAL;
+ }
+
if (display >= HWC_NUM_DISPLAY_TYPES) {
return -EINVAL;
}

View File

@ -0,0 +1,29 @@
From 6cabf9c6ba281ab44a6b94f0b5f8c3c2026416f9 Mon Sep 17 00:00:00 2001
From: Courtney Goeltzenleuchter <courtneygo@google.com>
Date: Thu, 24 May 2018 08:23:55 -0600
Subject: [PATCH] Fix Buffer Overflow in Vendor Service display.qservice
Bug: 63145942
Test: adb shell vndservice call display.qservice 36 s16 sdlkfjsadlfkjasdf
Change-Id: I3fdf5ccd2bf4ed0fa980883fefdb57eb5fbfeee7
(cherry picked from commit 4050091844ccd427587024e5fd916113a5cc0029)
---
sdm/libs/hwc2/hwc_session.cpp | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/sdm/libs/hwc2/hwc_session.cpp b/sdm/libs/hwc2/hwc_session.cpp
index 5f825c19b..e4b687d6b 100644
--- a/sdm/libs/hwc2/hwc_session.cpp
+++ b/sdm/libs/hwc2/hwc_session.cpp
@@ -1226,6 +1226,11 @@ android::status_t HWCSession::SetColorModeOverride(const android::Parcel *input_
auto display = static_cast<hwc2_display_t >(input_parcel->readInt32());
auto mode = static_cast<android_color_mode_t>(input_parcel->readInt32());
auto device = static_cast<hwc2_device_t *>(this);
+
+ if (display > HWC_DISPLAY_VIRTUAL) {
+ return -EINVAL;
+ }
+
auto err = CallDisplayFunction(device, display, &HWCDisplay::SetColorMode, mode);
if (err != HWC2_ERROR_NONE)
return -EINVAL;

View File

@ -0,0 +1,46 @@
From 0d2fd535bedf567d8ec9adee5e5e5645164558f4 Mon Sep 17 00:00:00 2001
From: Courtney Goeltzenleuchter <courtneygo@google.com>
Date: Thu, 24 May 2018 08:23:55 -0600
Subject: [PATCH] Fix Buffer Overflow in Vendor Service display.qservice
Bug: 63145942
Test: adb shell vndservice call display.qservice 36 s16 sdlkfjsadlfkjasdf
Change-Id: I3fdf5ccd2bf4ed0fa980883fefdb57eb5fbfeee7
(cherry picked from commit 4050091844ccd427587024e5fd916113a5cc0029)
---
msm8996/sdm/libs/hwc2/hwc_session.cpp | 5 +++++
msm8998/sdm/libs/hwc2/hwc_session.cpp | 5 +++++
2 files changed, 10 insertions(+)
diff --git a/msm8996/sdm/libs/hwc2/hwc_session.cpp b/msm8996/sdm/libs/hwc2/hwc_session.cpp
index e4d6cacda..6af85417c 100644
--- a/msm8996/sdm/libs/hwc2/hwc_session.cpp
+++ b/msm8996/sdm/libs/hwc2/hwc_session.cpp
@@ -1215,6 +1215,11 @@ android::status_t HWCSession::SetColorModeOverride(const android::Parcel *input_
auto display = static_cast<hwc2_display_t >(input_parcel->readInt32());
auto mode = static_cast<android_color_mode_t>(input_parcel->readInt32());
auto device = static_cast<hwc2_device_t *>(this);
+
+ if (display > HWC_DISPLAY_VIRTUAL) {
+ return -EINVAL;
+ }
+
auto err = CallDisplayFunction(device, display, &HWCDisplay::SetColorMode, mode);
if (err != HWC2_ERROR_NONE)
return -EINVAL;
diff --git a/msm8998/sdm/libs/hwc2/hwc_session.cpp b/msm8998/sdm/libs/hwc2/hwc_session.cpp
index 96111d9f3..01c6d367b 100644
--- a/msm8998/sdm/libs/hwc2/hwc_session.cpp
+++ b/msm8998/sdm/libs/hwc2/hwc_session.cpp
@@ -1214,6 +1214,11 @@ android::status_t HWCSession::SetColorModeOverride(const android::Parcel *input_
auto display = static_cast<hwc2_display_t >(input_parcel->readInt32());
auto mode = static_cast<android_color_mode_t>(input_parcel->readInt32());
auto device = static_cast<hwc2_device_t *>(this);
+
+ if (display > HWC_DISPLAY_VIRTUAL) {
+ return -EINVAL;
+ }
+
auto err = CallDisplayFunction(device, display, &HWCDisplay::SetColorMode, mode);
if (err != HWC2_ERROR_NONE)
return -EINVAL;

View File

@ -0,0 +1,186 @@
From ad22eabfe9abb5196bbf0136371e849a46142bc0 Mon Sep 17 00:00:00 2001
From: Santhosh Behara <santhoshbehara@codeaurora.org>
Date: Tue, 15 May 2018 06:09:50 -0700
Subject: [PATCH] mm-video-v4l2: Protect buffer access and increase input
buffer size
Protect buffer access for below scenarios:
*Increase the scope of buf_lock in free_buffer to avoid access
of freed buffer for both input and output buffers. Also, add check
before output buffer access.
*Disallow allocate buffer mode after client has called use buffer.
Allocate additional 512 bytes of memory for input buffers on top of
allocation size as per hardware requirement.
Bug: 64340487
Test: ran POC on bullhead/nyc-dev
Change-Id: Iabbb2d7e00ff97bfc47b04386feec66976fca99a
(cherry picked from commit 83aeab22d1bdc493b3ea2f50616bb8fd460d6c74)
---
mm-video-v4l2/vidc/vdec/inc/omx_vdec.h | 3 +-
.../vidc/vdec/src/omx_vdec_msm8974.cpp | 33 +++++++++++++++----
2 files changed, 28 insertions(+), 8 deletions(-)
diff --git a/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h b/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h
index 9b01376d5..07cbcc772 100644
--- a/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h
+++ b/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h
@@ -1,5 +1,5 @@
/*--------------------------------------------------------------------------
-Copyright (c) 2010 - 2014, The Linux Foundation. All rights reserved.
+Copyright (c) 2010 - 2014, 2018, The Linux Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
@@ -1066,6 +1066,7 @@ class omx_vdec: public qc_omx_component
}
static OMX_ERRORTYPE describeColorFormat(OMX_PTR params);
+ bool m_buffer_error;
};
#ifdef _MSM8974_
diff --git a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
index ccfb8c2d2..b887b72bd 100644
--- a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
+++ b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
@@ -1,5 +1,5 @@
/*--------------------------------------------------------------------------
-Copyright (c) 2010 - 2014, The Linux Foundation. All rights reserved.
+Copyright (c) 2010 - 2014, 2018, The Linux Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
@@ -574,7 +574,8 @@ omx_vdec::omx_vdec(): m_error_propogated(false),
m_profile(0),
client_set_fps(false),
m_last_rendered_TS(-1),
- m_queued_codec_config_count(0)
+ m_queued_codec_config_count(0),
+ m_buffer_error(false)
{
/* Assumption is that , to begin with , we have all the frames with decoder */
DEBUG_PRINT_HIGH("In OMX vdec Constructor");
@@ -4490,6 +4491,7 @@ OMX_ERRORTYPE omx_vdec::use_output_buffer(
eRet = allocate_output_headers();
if (eRet == OMX_ErrorNone)
eRet = allocate_extradata();
+ output_use_buffer = true;
}
if (eRet == OMX_ErrorNone) {
@@ -4892,7 +4894,6 @@ OMX_ERRORTYPE omx_vdec::free_input_buffer(OMX_BUFFERHEADERTYPE *bufferHdr)
index = bufferHdr - m_inp_mem_ptr;
DEBUG_PRINT_LOW("Free Input Buffer index = %d",index);
- auto_lock l(buf_lock);
bufferHdr->pInputPortPrivate = NULL;
if (index < drv_ctx.ip_buf.actualcount && drv_ctx.ptr_inputbuffer) {
@@ -5102,6 +5103,7 @@ OMX_ERRORTYPE omx_vdec::allocate_input_buffer(
unsigned i = 0;
unsigned char *buf_addr = NULL;
int pmem_fd = -1;
+ unsigned int align_size = 0;
if (bytes != drv_ctx.ip_buf.buffer_size) {
DEBUG_PRINT_LOW("Requested Size is wrong %lu epected is %d",
@@ -5157,8 +5159,10 @@ OMX_ERRORTYPE omx_vdec::allocate_input_buffer(
int rc;
DEBUG_PRINT_LOW("Allocate input Buffer");
#ifdef USE_ION
+ align_size = drv_ctx.ip_buf.buffer_size + 512;
+ align_size = (align_size + drv_ctx.ip_buf.alignment - 1)&(~(drv_ctx.ip_buf.alignment - 1));
drv_ctx.ip_buf_ion_info[i].ion_device_fd = alloc_map_ion_memory(
- drv_ctx.ip_buf.buffer_size,drv_ctx.op_buf.alignment,
+ align_size, drv_ctx.op_buf.alignment,
&drv_ctx.ip_buf_ion_info[i].ion_alloc_data,
&drv_ctx.ip_buf_ion_info[i].fd_ion_data, secure_mode ? ION_SECURE : 0);
if (drv_ctx.ip_buf_ion_info[i].ion_device_fd < 0) {
@@ -5639,6 +5643,10 @@ OMX_ERRORTYPE omx_vdec::allocate_buffer(OMX_IN OMX_HANDLETYPE hC
eRet = allocate_input_buffer(hComp,bufferHdr,port,appData,bytes);
}
} else if (port == OMX_CORE_OUTPUT_PORT_INDEX) {
+ if (output_use_buffer) {
+ DEBUG_PRINT_ERROR("Allocate output buffer not allowed after use buffer");
+ return OMX_ErrorBadParameter;
+ }
eRet = client_buffers.allocate_buffers_color_convert(hComp,bufferHdr,port,
appData,bytes);
} else {
@@ -5698,6 +5706,7 @@ OMX_ERRORTYPE omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE hComp __unuse
unsigned int nPortIndex;
DEBUG_PRINT_LOW("In for decoder free_buffer");
+ auto_lock l(buf_lock);
if (m_state == OMX_StateIdle &&
(BITMASK_PRESENT(&m_flags ,OMX_COMPONENT_LOADING_PENDING))) {
DEBUG_PRINT_LOW(" free buffer while Component in Loading pending");
@@ -5714,7 +5723,7 @@ OMX_ERRORTYPE omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE hComp __unuse
post_event(OMX_EventError,
OMX_ErrorPortUnpopulated,
OMX_COMPONENT_GENERATE_EVENT);
-
+ m_buffer_error = true;
return OMX_ErrorIncorrectStateOperation;
} else if (m_state != OMX_StateInvalid) {
DEBUG_PRINT_ERROR("Invalid state to free buffer,port lost Buffers");
@@ -5722,7 +5731,6 @@ OMX_ERRORTYPE omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE hComp __unuse
OMX_ErrorPortUnpopulated,
OMX_COMPONENT_GENERATE_EVENT);
}
-
if (port == OMX_CORE_INPUT_PORT_INDEX) {
/*Check if arbitrary bytes*/
if (!arbitrary_bytes && !input_use_buffer)
@@ -5819,6 +5827,7 @@ OMX_ERRORTYPE omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE hComp __unuse
BITMASK_CLEAR((&m_flags),OMX_COMPONENT_LOADING_PENDING);
post_event(OMX_CommandStateSet, OMX_StateLoaded,
OMX_COMPONENT_GENERATE_EVENT);
+ m_buffer_error = false;
}
}
return eRet;
@@ -5982,6 +5991,11 @@ OMX_ERRORTYPE omx_vdec::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE h
if (!temp_buffer || (temp_buffer - drv_ctx.ptr_inputbuffer) > (int)drv_ctx.ip_buf.actualcount) {
return OMX_ErrorBadParameter;
}
+
+ if (BITMASK_ABSENT(&m_inp_bm_count, nPortIndex) || m_buffer_error) {
+ DEBUG_PRINT_ERROR("ETBProxy: ERROR: invalid buffer, nPortIndex %u", nPortIndex);
+ return OMX_ErrorBadParameter;
+ }
/* If its first frame, H264 codec and reject is true, then parse the nal
and get the profile. Based on this, reject the clip playback */
if (first_frame == 0 && codec_type_parse == CODEC_TYPE_H264 &&
@@ -6268,6 +6282,7 @@ OMX_ERRORTYPE omx_vdec::fill_this_buffer_proxy(
struct vdec_bufferpayload *ptr_outputbuffer = NULL;
struct vdec_output_frameinfo *ptr_respbuffer = NULL;
+ auto_lock l(buf_lock);
nPortIndex = buffer-((OMX_BUFFERHEADERTYPE *)client_buffers.get_il_buf_hdr());
if (bufferAdd == NULL || nPortIndex >= drv_ctx.op_buf.actualcount) {
@@ -6276,6 +6291,10 @@ OMX_ERRORTYPE omx_vdec::fill_this_buffer_proxy(
return OMX_ErrorBadParameter;
}
+ if (BITMASK_ABSENT(&m_out_bm_count, nPortIndex) || m_buffer_error) {
+ DEBUG_PRINT_ERROR("FTBProxy: ERROR: invalid buffer, nPortIndex %u", nPortIndex);
+ return OMX_ErrorBadParameter;
+ }
DEBUG_PRINT_LOW("FTBProxy: bufhdr = %p, bufhdr->pBuffer = %p",
bufferAdd, bufferAdd->pBuffer);
/*Return back the output buffer to client*/
@@ -7417,7 +7436,7 @@ int omx_vdec::async_message_process (void *context, void* message)
output_respbuf->pic_type = PICTURE_TYPE_B;
}
- if (omx->output_use_buffer)
+ if (!omx->m_enable_android_native_buffers && omx->output_use_buffer)
memcpy ( omxhdr->pBuffer, (void *)
((unsigned long)vdec_msg->msgdata.output_frame.bufferaddr +
(unsigned long)vdec_msg->msgdata.output_frame.offset),

View File

@ -0,0 +1,192 @@
From 742cf6ad5c74b71063af755b7ef7df2a3a2f19a3 Mon Sep 17 00:00:00 2001
From: Santhosh Behara <santhoshbehara@codeaurora.org>
Date: Tue, 15 May 2018 06:09:50 -0700
Subject: [PATCH] mm-video-v4l2: Protect buffer access and increase input
buffer size
Protect buffer access for below scenarios:
*Increase the scope of buf_lock in free_buffer to avoid access
of freed buffer for both input and output buffers. Also, add check
before output buffer access.
*Disallow allocate buffer mode after client has called use buffer.
Allocate additional 512 bytes of memory for input buffers on top of
allocation size as per hardware requirement.
Bug: 64340487
Test: ran POC on bullhead/nyc-dev
Change-Id: Iabbb2d7e00ff97bfc47b04386feec66976fca99a
(cherry picked from commit 83aeab22d1bdc493b3ea2f50616bb8fd460d6c74)
---
mm-video-v4l2/vidc/vdec/inc/omx_vdec.h | 3 +-
.../vidc/vdec/src/omx_vdec_msm8974.cpp | 34 +++++++++++++++----
2 files changed, 29 insertions(+), 8 deletions(-)
diff --git a/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h b/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h
index 59f81a7c4..a34675507 100644
--- a/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h
+++ b/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h
@@ -1,5 +1,5 @@
/*--------------------------------------------------------------------------
-Copyright (c) 2010 - 2015, The Linux Foundation. All rights reserved.
+Copyright (c) 2010 - 2015, 2018, The Linux Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
@@ -1171,6 +1171,7 @@ class omx_vdec: public qc_omx_component
}
};
client_extradata_info m_client_extradata_info;
+ bool m_buffer_error;
};
#ifdef _MSM8974_
diff --git a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
index d1311f6ce..11b882aac 100644
--- a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
+++ b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
@@ -1,5 +1,5 @@
/*--------------------------------------------------------------------------
-Copyright (c) 2010 - 2015, The Linux Foundation. All rights reserved.
+Copyright (c) 2010 - 2015, 2018, The Linux Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
@@ -596,7 +596,8 @@ omx_vdec::omx_vdec(): m_error_propogated(false),
stereo_output_mode(HAL_NO_3D),
m_last_rendered_TS(-1),
m_queued_codec_config_count(0),
- secure_scaling_to_non_secure_opb(false)
+ secure_scaling_to_non_secure_opb(false),
+ m_buffer_error(false)
{
/* Assumption is that , to begin with , we have all the frames with decoder */
DEBUG_PRINT_HIGH("In %u bit OMX vdec Constructor", (unsigned int)sizeof(long) * 8);
@@ -4753,6 +4754,7 @@ OMX_ERRORTYPE omx_vdec::use_output_buffer(
eRet = allocate_output_headers();
if (eRet == OMX_ErrorNone)
eRet = allocate_extradata();
+ output_use_buffer = true;
}
if (eRet == OMX_ErrorNone) {
@@ -5168,7 +5170,6 @@ OMX_ERRORTYPE omx_vdec::free_input_buffer(OMX_BUFFERHEADERTYPE *bufferHdr)
index = bufferHdr - m_inp_mem_ptr;
DEBUG_PRINT_LOW("Free Input Buffer index = %d",index);
- auto_lock l(buf_lock);
bufferHdr->pInputPortPrivate = NULL;
if (index < drv_ctx.ip_buf.actualcount && drv_ctx.ptr_inputbuffer) {
@@ -5374,11 +5375,13 @@ OMX_ERRORTYPE omx_vdec::allocate_input_buffer(
unsigned i = 0;
unsigned char *buf_addr = NULL;
int pmem_fd = -1;
+ unsigned int align_size = 0;
(void) hComp;
(void) port;
+
if (bytes != drv_ctx.ip_buf.buffer_size) {
DEBUG_PRINT_LOW("Requested Size is wrong %u epected is %u",
(unsigned int)bytes, (unsigned int)drv_ctx.ip_buf.buffer_size);
@@ -5433,8 +5436,10 @@ OMX_ERRORTYPE omx_vdec::allocate_input_buffer(
int rc;
DEBUG_PRINT_LOW("Allocate input Buffer");
#ifdef USE_ION
+ align_size = drv_ctx.ip_buf.buffer_size + 512;
+ align_size = (align_size + drv_ctx.ip_buf.alignment - 1)&(~(drv_ctx.ip_buf.alignment - 1));
drv_ctx.ip_buf_ion_info[i].ion_device_fd = alloc_map_ion_memory(
- drv_ctx.ip_buf.buffer_size,drv_ctx.op_buf.alignment,
+ align_size, drv_ctx.op_buf.alignment,
&drv_ctx.ip_buf_ion_info[i].ion_alloc_data,
&drv_ctx.ip_buf_ion_info[i].fd_ion_data, secure_mode ? ION_SECURE : ION_FLAG_CACHED);
if (drv_ctx.ip_buf_ion_info[i].ion_device_fd < 0) {
@@ -5927,6 +5932,10 @@ OMX_ERRORTYPE omx_vdec::allocate_buffer(OMX_IN OMX_HANDLETYPE hC
eRet = allocate_input_buffer(hComp,bufferHdr,port,appData,bytes);
}
} else if (port == OMX_CORE_OUTPUT_PORT_INDEX) {
+ if (output_use_buffer) {
+ DEBUG_PRINT_ERROR("Allocate output buffer not allowed after use buffer");
+ return OMX_ErrorBadParameter;
+ }
eRet = client_buffers.allocate_buffers_color_convert(hComp,bufferHdr,port,
appData,bytes);
} else {
@@ -5987,6 +5996,7 @@ OMX_ERRORTYPE omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE hComp,
(void) hComp;
DEBUG_PRINT_LOW("In for decoder free_buffer");
+ auto_lock l(buf_lock);
if (m_state == OMX_StateIdle &&
(BITMASK_PRESENT(&m_flags ,OMX_COMPONENT_LOADING_PENDING))) {
DEBUG_PRINT_LOW(" free buffer while Component in Loading pending");
@@ -6003,7 +6013,7 @@ OMX_ERRORTYPE omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE hComp,
post_event(OMX_EventError,
OMX_ErrorPortUnpopulated,
OMX_COMPONENT_GENERATE_EVENT);
-
+ m_buffer_error = true;
return OMX_ErrorIncorrectStateOperation;
} else if (m_state != OMX_StateInvalid) {
DEBUG_PRINT_ERROR("Invalid state to free buffer,port lost Buffers");
@@ -6011,7 +6021,6 @@ OMX_ERRORTYPE omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE hComp,
OMX_ErrorPortUnpopulated,
OMX_COMPONENT_GENERATE_EVENT);
}
-
if (port == OMX_CORE_INPUT_PORT_INDEX) {
/*Check if arbitrary bytes*/
if (!arbitrary_bytes && !input_use_buffer)
@@ -6108,6 +6117,7 @@ OMX_ERRORTYPE omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE hComp,
BITMASK_CLEAR((&m_flags),OMX_COMPONENT_LOADING_PENDING);
post_event(OMX_CommandStateSet, OMX_StateLoaded,
OMX_COMPONENT_GENERATE_EVENT);
+ m_buffer_error = false;
}
}
return eRet;
@@ -6281,6 +6291,11 @@ OMX_ERRORTYPE omx_vdec::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE hComp,
if (!temp_buffer || (temp_buffer - drv_ctx.ptr_inputbuffer) > (int)drv_ctx.ip_buf.actualcount) {
return OMX_ErrorBadParameter;
}
+
+ if (BITMASK_ABSENT(&m_inp_bm_count, nPortIndex) || m_buffer_error) {
+ DEBUG_PRINT_ERROR("ETBProxy: ERROR: invalid buffer, nPortIndex %u", nPortIndex);
+ return OMX_ErrorBadParameter;
+ }
/* If its first frame, H264 codec and reject is true, then parse the nal
and get the profile. Based on this, reject the clip playback */
if (first_frame == 0 && codec_type_parse == CODEC_TYPE_H264 &&
@@ -6568,6 +6583,7 @@ OMX_ERRORTYPE omx_vdec::fill_this_buffer_proxy(
struct vdec_bufferpayload *ptr_outputbuffer = NULL;
struct vdec_output_frameinfo *ptr_respbuffer = NULL;
+ auto_lock l(buf_lock);
nPortIndex = buffer-((OMX_BUFFERHEADERTYPE *)client_buffers.get_il_buf_hdr());
if (bufferAdd == NULL || nPortIndex >= drv_ctx.op_buf.actualcount) {
@@ -6576,6 +6592,10 @@ OMX_ERRORTYPE omx_vdec::fill_this_buffer_proxy(
return OMX_ErrorBadParameter;
}
+ if (BITMASK_ABSENT(&m_out_bm_count, nPortIndex) || m_buffer_error) {
+ DEBUG_PRINT_ERROR("FTBProxy: ERROR: invalid buffer, nPortIndex %u", nPortIndex);
+ return OMX_ErrorBadParameter;
+ }
DEBUG_PRINT_LOW("FTBProxy: bufhdr = %p, bufhdr->pBuffer = %p",
bufferAdd, bufferAdd->pBuffer);
/*Return back the output buffer to client*/
@@ -7762,7 +7782,7 @@ int omx_vdec::async_message_process (void *context, void* message)
output_respbuf->pic_type = PICTURE_TYPE_B;
}
- if (omx->output_use_buffer)
+ if (!omx->m_enable_android_native_buffers && omx->output_use_buffer)
memcpy ( omxhdr->pBuffer, (void *)
((unsigned long)vdec_msg->msgdata.output_frame.bufferaddr +
(unsigned long)vdec_msg->msgdata.output_frame.offset),

View File

@ -0,0 +1,179 @@
From f42b03df24d3acd5caaa2628c206c591ccc023eb Mon Sep 17 00:00:00 2001
From: Ray Essick <essick@google.com>
Date: Mon, 2 Jul 2018 16:00:09 -0700
Subject: [PATCH] mm-video-v4l2: Protect buffer access and increase input
buffer size
Protect buffer access for below scenarios:
*Increase the scope of buf_lock in free_buffer to avoid access
of freed buffer for both input and output buffers. Also, add check
before output buffer access.
*Disallow allocate buffer mode after client has called use buffer.
Allocate additional 512 bytes of memory for input buffers on top of
allocation size as per hardware requirement.
Bug: 64340487
Test: ran POC on sailfish/nyc-mr1-dev
Change-Id: Ic13b511b2d1c46e0b158880c41c9a02e2fefd113
Merged-In: Id699404d6c276c8702826d79b3a6ba9755b3439f
(cherry picked from commit 660db9e9708872f9a407ac14e92a5017599ced34)
---
.../mm-video-v4l2/vidc/vdec/inc/omx_vdec.h | 3 +-
.../vidc/vdec/src/omx_vdec_v4l2.cpp | 32 +++++++++++++++----
2 files changed, 28 insertions(+), 7 deletions(-)
diff --git a/msm8996/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h b/msm8996/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h
index d400fc39e..f0958b166 100644
--- a/msm8996/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h
+++ b/msm8996/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h
@@ -1,5 +1,5 @@
/*--------------------------------------------------------------------------
-Copyright (c) 2010 - 2016, The Linux Foundation. All rights reserved.
+Copyright (c) 2010 - 2016, 2018, The Linux Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
@@ -1173,6 +1173,7 @@ class omx_vdec: public qc_omx_component
static OMX_ERRORTYPE describeColorFormat(OMX_PTR params);
void prefetchNewBuffers();
+ bool m_buffer_error;
};
#ifdef _MSM8974_
diff --git a/msm8996/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp b/msm8996/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp
index 9d041e990..003cd9b56 100644
--- a/msm8996/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp
+++ b/msm8996/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp
@@ -1,5 +1,5 @@
/*--------------------------------------------------------------------------
-Copyright (c) 2010 - 2016, The Linux Foundation. All rights reserved.
+Copyright (c) 2010 - 2016, 2018, The Linux Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
@@ -647,7 +647,8 @@ omx_vdec::omx_vdec(): m_error_propogated(false),
m_queued_codec_config_count(0),
current_perf_level(V4L2_CID_MPEG_VIDC_PERF_LEVEL_NOMINAL),
secure_scaling_to_non_secure_opb(false),
- m_force_compressed_for_dpb(false)
+ m_force_compressed_for_dpb(false),
+ m_buffer_error(false)
{
m_pipe_in = -1;
m_pipe_out = -1;
@@ -5525,6 +5526,7 @@ OMX_ERRORTYPE omx_vdec::use_output_buffer(
eRet = allocate_output_headers();
if (eRet == OMX_ErrorNone)
eRet = allocate_extradata();
+ output_use_buffer = true;
}
if (eRet == OMX_ErrorNone) {
@@ -5947,7 +5949,6 @@ OMX_ERRORTYPE omx_vdec::free_input_buffer(OMX_BUFFERHEADERTYPE *bufferHdr)
index = bufferHdr - m_inp_mem_ptr;
DEBUG_PRINT_LOW("Free Input Buffer index = %d",index);
- auto_lock l(buf_lock);
bufferHdr->pInputPortPrivate = NULL;
if (index < drv_ctx.ip_buf.actualcount && drv_ctx.ptr_inputbuffer) {
@@ -6156,6 +6157,7 @@ OMX_ERRORTYPE omx_vdec::allocate_input_buffer(
unsigned i = 0;
unsigned char *buf_addr = NULL;
int pmem_fd = -1;
+ unsigned int align_size = 0;
(void) hComp;
(void) port;
@@ -6215,8 +6217,10 @@ OMX_ERRORTYPE omx_vdec::allocate_input_buffer(
int rc;
DEBUG_PRINT_LOW("Allocate input Buffer");
#ifdef USE_ION
+ align_size = drv_ctx.ip_buf.buffer_size + 512;
+ align_size = (align_size + drv_ctx.ip_buf.alignment - 1)&(~(drv_ctx.ip_buf.alignment - 1));
drv_ctx.ip_buf_ion_info[i].ion_device_fd = alloc_map_ion_memory(
- drv_ctx.ip_buf.buffer_size,drv_ctx.op_buf.alignment,
+ align_size, drv_ctx.op_buf.alignment,
&drv_ctx.ip_buf_ion_info[i].ion_alloc_data,
&drv_ctx.ip_buf_ion_info[i].fd_ion_data, secure_mode ?
SECURE_FLAGS_INPUT_BUFFER : ION_FLAG_CACHED);
@@ -6704,6 +6708,10 @@ OMX_ERRORTYPE omx_vdec::allocate_buffer(OMX_IN OMX_HANDLETYPE hC
eRet = allocate_input_buffer(hComp,bufferHdr,port,appData,bytes);
}
} else if (port == OMX_CORE_OUTPUT_PORT_INDEX) {
+ if (output_use_buffer) {
+ DEBUG_PRINT_ERROR("Allocate output buffer not allowed after use buffer");
+ return OMX_ErrorBadParameter;
+ }
eRet = client_buffers.allocate_buffers_color_convert(hComp,bufferHdr,port,
appData,bytes);
} else {
@@ -6764,6 +6772,7 @@ OMX_ERRORTYPE omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE hComp,
(void) hComp;
DEBUG_PRINT_LOW("In for decoder free_buffer");
+ auto_lock l(buf_lock);
if (m_state == OMX_StateIdle &&
(BITMASK_PRESENT(&m_flags ,OMX_COMPONENT_LOADING_PENDING))) {
DEBUG_PRINT_LOW(" free buffer while Component in Loading pending");
@@ -6780,7 +6789,7 @@ OMX_ERRORTYPE omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE hComp,
post_event(OMX_EventError,
OMX_ErrorPortUnpopulated,
OMX_COMPONENT_GENERATE_EVENT);
-
+ m_buffer_error = true;
return OMX_ErrorIncorrectStateOperation;
} else if (m_state != OMX_StateInvalid) {
DEBUG_PRINT_ERROR("Invalid state to free buffer,port lost Buffers");
@@ -6885,6 +6894,7 @@ OMX_ERRORTYPE omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE hComp,
BITMASK_CLEAR((&m_flags),OMX_COMPONENT_LOADING_PENDING);
post_event(OMX_CommandStateSet, OMX_StateLoaded,
OMX_COMPONENT_GENERATE_EVENT);
+ m_buffer_error = false;
}
}
return eRet;
@@ -7054,6 +7064,11 @@ OMX_ERRORTYPE omx_vdec::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE hComp,
if (!temp_buffer || (temp_buffer - drv_ctx.ptr_inputbuffer) > (int)drv_ctx.ip_buf.actualcount) {
return OMX_ErrorBadParameter;
}
+
+ if (BITMASK_ABSENT(&m_inp_bm_count, nPortIndex) || m_buffer_error) {
+ DEBUG_PRINT_ERROR("ETBProxy: ERROR: invalid buffer, nPortIndex %u", nPortIndex);
+ return OMX_ErrorBadParameter;
+ }
/* If its first frame, H264 codec and reject is true, then parse the nal
and get the profile. Based on this, reject the clip playback */
if (first_frame == 0 && codec_type_parse == CODEC_TYPE_H264 &&
@@ -7343,6 +7358,7 @@ OMX_ERRORTYPE omx_vdec::fill_this_buffer_proxy(
struct vdec_bufferpayload *ptr_outputbuffer = NULL;
struct vdec_output_frameinfo *ptr_respbuffer = NULL;
+ auto_lock l(buf_lock);
nPortIndex = buffer-((OMX_BUFFERHEADERTYPE *)client_buffers.get_il_buf_hdr());
if (bufferAdd == NULL || nPortIndex >= drv_ctx.op_buf.actualcount) {
@@ -7351,6 +7367,10 @@ OMX_ERRORTYPE omx_vdec::fill_this_buffer_proxy(
return OMX_ErrorBadParameter;
}
+ if (BITMASK_ABSENT(&m_out_bm_count, nPortIndex) || m_buffer_error) {
+ DEBUG_PRINT_ERROR("FTBProxy: ERROR: invalid buffer, nPortIndex %u", nPortIndex);
+ return OMX_ErrorBadParameter;
+ }
DEBUG_PRINT_LOW("FTBProxy: bufhdr = %p, bufhdr->pBuffer = %p",
bufferAdd, bufferAdd->pBuffer);
/*Return back the output buffer to client*/
@@ -8624,7 +8644,7 @@ int omx_vdec::async_message_process (void *context, void* message)
if (omxhdr && omxhdr->nFilledLen) {
omx->request_perf_level(VIDC_NOMINAL);
}
- if (omx->output_use_buffer && omxhdr->pBuffer &&
+ if (!omx->m_enable_android_native_buffers && omx->output_use_buffer && omxhdr->pBuffer &&
vdec_msg->msgdata.output_frame.bufferaddr)
memcpy ( omxhdr->pBuffer, (void *)
((unsigned long)vdec_msg->msgdata.output_frame.bufferaddr +

View File

@ -0,0 +1,175 @@
From 603c2ff8064e479640a45c04f0f9a307e465f63d Mon Sep 17 00:00:00 2001
From: Ray Essick <essick@google.com>
Date: Fri, 29 Jun 2018 14:12:19 -0700
Subject: [PATCH] mm-video-v4l2: Squash below changes
mm-video-v4l2: Protect buffer access and increase input buffer size
Protect buffer access for below scenarios:
*Increase the scope of buf_lock in free_buffer to avoid access
of freed buffer for both input and output buffers. Also, add check
before output buffer access.
*Disallow allocate buffer mode after client has called use buffer.
Allocate additional 512 bytes of memory for input buffers on top of
allocation size as per hardware requirement.
mm-video-v4l2: correct the buffer error flag setting
The buffer error flag setting is corrected in free_buffer()
call
Bug: 64340487
Test: poc from bug
Change-Id: I8a28d86135f2fc39a45a6a07355845327dec2dfa
Merged-In: I32d6cb7f61b873edd567881d1bf3e620cd78e715
(cherry picked from commit 808b94b164c39d75d78481f301151fc299b201cc)
---
.../mm-video-v4l2/vidc/vdec/inc/omx_vdec.h | 3 +-
.../vidc/vdec/src/omx_vdec_v4l2.cpp | 30 +++++++++++++++----
2 files changed, 27 insertions(+), 6 deletions(-)
diff --git a/msm8998/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h b/msm8998/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h
index 05d6bc777..21f4c20fa 100644
--- a/msm8998/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h
+++ b/msm8998/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h
@@ -1,5 +1,5 @@
/*--------------------------------------------------------------------------
-Copyright (c) 2010 - 2016, The Linux Foundation. All rights reserved.
+Copyright (c) 2010 - 2018, The Linux Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
@@ -1275,6 +1275,7 @@ class omx_vdec: public qc_omx_component
}
};
client_extradata_info m_client_extradata_info;
+ bool m_buffer_error;
};
#ifdef _MSM8974_
diff --git a/msm8998/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp b/msm8998/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp
index 99b0c6e78..cfb72d83b 100644
--- a/msm8998/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp
+++ b/msm8998/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp
@@ -668,7 +668,8 @@ omx_vdec::omx_vdec(): m_error_propogated(false),
current_perf_level(V4L2_CID_MPEG_VIDC_PERF_LEVEL_NOMINAL),
secure_scaling_to_non_secure_opb(false),
m_force_compressed_for_dpb(true),
- m_is_display_session(false)
+ m_is_display_session(false),
+ m_buffer_error(false)
{
m_pipe_in = -1;
m_pipe_out = -1;
@@ -5823,6 +5824,7 @@ OMX_ERRORTYPE omx_vdec::use_output_buffer(
eRet = allocate_output_headers();
if (eRet == OMX_ErrorNone)
eRet = allocate_extradata();
+ output_use_buffer = true;
}
if (eRet == OMX_ErrorNone) {
@@ -6245,7 +6247,6 @@ OMX_ERRORTYPE omx_vdec::free_input_buffer(OMX_BUFFERHEADERTYPE *bufferHdr)
index = bufferHdr - m_inp_mem_ptr;
DEBUG_PRINT_LOW("Free Input Buffer index = %d",index);
- auto_lock l(buf_lock);
bufferHdr->pInputPortPrivate = NULL;
if (index < drv_ctx.ip_buf.actualcount && drv_ctx.ptr_inputbuffer) {
@@ -6459,6 +6460,7 @@ OMX_ERRORTYPE omx_vdec::allocate_input_buffer(
unsigned i = 0;
unsigned char *buf_addr = NULL;
int pmem_fd = -1;
+ unsigned int align_size = 0;
(void) hComp;
(void) port;
@@ -6518,8 +6520,10 @@ OMX_ERRORTYPE omx_vdec::allocate_input_buffer(
int rc;
DEBUG_PRINT_LOW("Allocate input Buffer");
#ifdef USE_ION
+ align_size = drv_ctx.ip_buf.buffer_size + 512;
+ align_size = (align_size + drv_ctx.ip_buf.alignment - 1)&(~(drv_ctx.ip_buf.alignment - 1));
drv_ctx.ip_buf_ion_info[i].ion_device_fd = alloc_map_ion_memory(
- drv_ctx.ip_buf.buffer_size,drv_ctx.op_buf.alignment,
+ align_size, drv_ctx.op_buf.alignment,
&drv_ctx.ip_buf_ion_info[i].ion_alloc_data,
&drv_ctx.ip_buf_ion_info[i].fd_ion_data, secure_mode ?
SECURE_FLAGS_INPUT_BUFFER : ION_FLAG_CACHED);
@@ -7011,6 +7015,10 @@ OMX_ERRORTYPE omx_vdec::allocate_buffer(OMX_IN OMX_HANDLETYPE hC
eRet = allocate_input_buffer(hComp,bufferHdr,port,appData,bytes);
}
} else if (port == OMX_CORE_OUTPUT_PORT_INDEX) {
+ if (output_use_buffer) {
+ DEBUG_PRINT_ERROR("Allocate output buffer not allowed after use buffer");
+ return OMX_ErrorBadParameter;
+ }
eRet = client_buffers.allocate_buffers_color_convert(hComp,bufferHdr,port,
appData,bytes);
} else {
@@ -7071,6 +7079,7 @@ OMX_ERRORTYPE omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE hComp,
(void) hComp;
DEBUG_PRINT_LOW("In for decoder free_buffer");
+ auto_lock l(buf_lock);
if (m_state == OMX_StateIdle &&
(BITMASK_PRESENT(&m_flags ,OMX_COMPONENT_LOADING_PENDING))) {
DEBUG_PRINT_LOW(" free buffer while Component in Loading pending");
@@ -7087,7 +7096,7 @@ OMX_ERRORTYPE omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE hComp,
post_event(OMX_EventError,
OMX_ErrorPortUnpopulated,
OMX_COMPONENT_GENERATE_EVENT);
-
+ m_buffer_error = true;
return OMX_ErrorIncorrectStateOperation;
} else if (m_state != OMX_StateInvalid) {
DEBUG_PRINT_ERROR("Invalid state to free buffer,port lost Buffers");
@@ -7192,6 +7201,7 @@ OMX_ERRORTYPE omx_vdec::free_buffer(OMX_IN OMX_HANDLETYPE hComp,
BITMASK_CLEAR((&m_flags),OMX_COMPONENT_LOADING_PENDING);
post_event(OMX_CommandStateSet, OMX_StateLoaded,
OMX_COMPONENT_GENERATE_EVENT);
+ m_buffer_error = false;
}
}
return eRet;
@@ -7363,6 +7373,11 @@ OMX_ERRORTYPE omx_vdec::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE hComp,
if (!temp_buffer || (temp_buffer - drv_ctx.ptr_inputbuffer) > (int)drv_ctx.ip_buf.actualcount) {
return OMX_ErrorBadParameter;
}
+
+ if (BITMASK_ABSENT(&m_inp_bm_count, nPortIndex) || m_buffer_error) {
+ DEBUG_PRINT_ERROR("ETBProxy: ERROR: invalid buffer, nPortIndex %u", nPortIndex);
+ return OMX_ErrorBadParameter;
+ }
/* If its first frame, H264 codec and reject is true, then parse the nal
and get the profile. Based on this, reject the clip playback */
if (first_frame == 0 && codec_type_parse == CODEC_TYPE_H264 &&
@@ -7664,6 +7679,7 @@ OMX_ERRORTYPE omx_vdec::fill_this_buffer_proxy(
struct vdec_bufferpayload *ptr_outputbuffer = NULL;
struct vdec_output_frameinfo *ptr_respbuffer = NULL;
+ auto_lock l(buf_lock);
nPortIndex = buffer-((OMX_BUFFERHEADERTYPE *)client_buffers.get_il_buf_hdr());
if (bufferAdd == NULL || nPortIndex >= drv_ctx.op_buf.actualcount) {
@@ -7672,6 +7688,10 @@ OMX_ERRORTYPE omx_vdec::fill_this_buffer_proxy(
return OMX_ErrorBadParameter;
}
+ if (BITMASK_ABSENT(&m_out_bm_count, nPortIndex) || m_buffer_error) {
+ DEBUG_PRINT_ERROR("FTBProxy: ERROR: invalid buffer, nPortIndex %u", nPortIndex);
+ return OMX_ErrorBadParameter;
+ }
DEBUG_PRINT_LOW("FTBProxy: bufhdr = %p, bufhdr->pBuffer = %p",
bufferAdd, bufferAdd->pBuffer);
/*Return back the output buffer to client*/
@@ -9032,7 +9052,7 @@ int omx_vdec::async_message_process (void *context, void* message)
if (omxhdr && omxhdr->nFilledLen && !omx->high_fps) {
omx->request_perf_level(VIDC_NOMINAL);
}
- if (omx->output_use_buffer && omxhdr->pBuffer &&
+ if (!omx->m_enable_android_native_buffers && omx->output_use_buffer && omxhdr->pBuffer &&
vdec_msg->msgdata.output_frame.bufferaddr)
memcpy ( omxhdr->pBuffer, (void *)
((unsigned long)vdec_msg->msgdata.output_frame.bufferaddr +

View File

@ -96,7 +96,6 @@ patchWorkspace() {
umask 0022; umask 0022;
if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/cm"; fi; if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/cm"; fi;
source build/envsetup.sh; source build/envsetup.sh;
repopick -ift n_asb_09-2018-qcom; #TODO: move in tree
#repopick -it bt-sbc-hd-dualchannel-nougat; #repopick -it bt-sbc-hd-dualchannel-nougat;
repopick -it n-asb-2021-06; repopick -it n-asb-2021-06;
repopick -it n-asb-2021-07; repopick -it n-asb-2021-07;

View File

@ -141,6 +141,7 @@ git apply "$DOS_PATCHES_COMMON/android_hardware_qcom_display/CVE-2019-2306-msm89
git apply "$DOS_PATCHES_COMMON/android_hardware_qcom_display/CVE-2019-2306-msm8974.patch" --directory msm8974; git apply "$DOS_PATCHES_COMMON/android_hardware_qcom_display/CVE-2019-2306-msm8974.patch" --directory msm8974;
git apply "$DOS_PATCHES_COMMON/android_hardware_qcom_display/CVE-2019-2306-msm8994.patch" --directory msm8994; git apply "$DOS_PATCHES_COMMON/android_hardware_qcom_display/CVE-2019-2306-msm8994.patch" --directory msm8994;
#missing msm8909, msm8996, msm8998 #missing msm8909, msm8996, msm8998
git apply "$DOS_PATCHES/android_hardware_qcom_display/229952.patch"; #n_asb_09-2018-qcom
fi; fi;
if enterAndClear "hardware/qcom/display-caf/apq8084"; then if enterAndClear "hardware/qcom/display-caf/apq8084"; then
@ -167,10 +168,31 @@ if enterAndClear "hardware/qcom/display-caf/msm8994"; then
git apply "$DOS_PATCHES_COMMON/android_hardware_qcom_display/CVE-2019-2306-msm8994.patch"; git apply "$DOS_PATCHES_COMMON/android_hardware_qcom_display/CVE-2019-2306-msm8994.patch";
fi; fi;
if enterAndClear "hardware/qcom/display-caf/msm8996"; then
git apply "$DOS_PATCHES/android_hardware_qcom_display/227623.patch"; #n_asb_09-2018-qcom
fi;
if enterAndClear "hardware/qcom/display-caf/msm8998"; then
git apply "$DOS_PATCHES/android_hardware_qcom_display/227624.patch"; #n_asb_09-2018-qcom
fi;
if enterAndClear "hardware/qcom/gps"; then if enterAndClear "hardware/qcom/gps"; then
git apply "$DOS_PATCHES/android_hardware_qcom_gps/0001-rollover.patch"; #fix week rollover git apply "$DOS_PATCHES/android_hardware_qcom_gps/0001-rollover.patch"; #fix week rollover
fi; fi;
if enterAndClear "hardware/qcom/media"; then
git apply "$DOS_PATCHES/android_hardware_qcom_media/229950.patch"; #n_asb_09-2018-qcom
git apply "$DOS_PATCHES/android_hardware_qcom_media/229951.patch"; #n_asb_09-2018-qcom
fi;
if enterAndClear "hardware/qcom/media-caf/apq8084"; then
git apply "$DOS_PATCHES/android_hardware_qcom_media/227620.patch"; #n_asb_09-2018-qcom
fi;
if enterAndClear "hardware/qcom/media-caf/msm8994"; then
git apply "$DOS_PATCHES/android_hardware_qcom_media/227622.patch"; #n_asb_09-2018-qcom
fi;
if enterAndClear "packages/apps/CMParts"; then if enterAndClear "packages/apps/CMParts"; then
rm -rf src/org/cyanogenmod/cmparts/cmstats/ res/xml/anonymous_stats.xml res/xml/preview_data.xml; #Nuke part of CMStats rm -rf src/org/cyanogenmod/cmparts/cmstats/ res/xml/anonymous_stats.xml res/xml/preview_data.xml; #Nuke part of CMStats
patch -p1 < "$DOS_PATCHES/android_packages_apps_CMParts/0001-Remove_Analytics.patch"; #Remove the rest of CMStats patch -p1 < "$DOS_PATCHES/android_packages_apps_CMParts/0001-Remove_Analytics.patch"; #Remove the rest of CMStats