From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Toni Heidenreich Date: Wed, 6 Sep 2023 12:49:33 +0000 Subject: [PATCH] httplive: fix use-after-free Implement a mutex to ensure secure multi-threaded access to the KeyedVector in MetaDataBase. Concurrent access by different threads can lead to accessing the wrong memory location due to potential changes in the vector Bug: 298057702 Test: HTTP Live Streaming test (cherry picked from https://partner-android-review.googlesource.com/q/commit:a2dfb31957a9d5358d0219a0eda7dcb5b0fff5fe) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:90fb4ca425444429ada6ce0de1c13d35829bc196) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3c1d9613ef64e01d2e81c4aa44c90dcd8ca958b9) Merged-In: I46b05c85d9c39f4ce549efc160c08a0646c9fd0a Change-Id: I46b05c85d9c39f4ce549efc160c08a0646c9fd0a Change-Id: Ibad99da2ee0d9259844c32f954e6db290043e45b --- media/libmediaextractor/MetaDataBase.cpp | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/media/libmediaextractor/MetaDataBase.cpp b/media/libmediaextractor/MetaDataBase.cpp index bfea6f1537..a3c623e354 100644 --- a/media/libmediaextractor/MetaDataBase.cpp +++ b/media/libmediaextractor/MetaDataBase.cpp @@ -24,6 +24,8 @@ #include #include +#include + #include #include #include @@ -75,6 +77,7 @@ struct MetaDataBase::Rect { struct MetaDataBase::MetaDataInternal { + std::mutex mLock; KeyedVector mItems; }; @@ -99,10 +102,12 @@ MetaDataBase::~MetaDataBase() { } void MetaDataBase::clear() { + std::lock_guard guard(mInternalData->mLock); mInternalData->mItems.clear(); } bool MetaDataBase::remove(uint32_t key) { + std::lock_guard guard(mInternalData->mLock); ssize_t i = mInternalData->mItems.indexOfKey(key); if (i < 0) { @@ -249,6 +254,7 @@ bool MetaDataBase::setData( uint32_t key, uint32_t type, const void *data, size_t size) { bool overwrote_existing = true; + std::lock_guard guard(mInternalData->mLock); ssize_t i = mInternalData->mItems.indexOfKey(key); if (i < 0) { typed_data item; @@ -266,6 +272,7 @@ bool MetaDataBase::setData( bool MetaDataBase::findData(uint32_t key, uint32_t *type, const void **data, size_t *size) const { + std::lock_guard guard(mInternalData->mLock); ssize_t i = mInternalData->mItems.indexOfKey(key); if (i < 0) { @@ -280,6 +287,7 @@ bool MetaDataBase::findData(uint32_t key, uint32_t *type, } bool MetaDataBase::hasData(uint32_t key) const { + std::lock_guard guard(mInternalData->mLock); ssize_t i = mInternalData->mItems.indexOfKey(key); if (i < 0) { @@ -426,6 +434,7 @@ static void MakeFourCCString(uint32_t x, char *s) { String8 MetaDataBase::toString() const { String8 s; + std::lock_guard guard(mInternalData->mLock); for (int i = mInternalData->mItems.size(); --i >= 0;) { int32_t key = mInternalData->mItems.keyAt(i); char cc[5]; @@ -440,6 +449,7 @@ String8 MetaDataBase::toString() const { } void MetaDataBase::dumpToLog() const { + std::lock_guard guard(mInternalData->mLock); for (int i = mInternalData->mItems.size(); --i >= 0;) { int32_t key = mInternalData->mItems.keyAt(i); char cc[5]; @@ -451,6 +461,7 @@ void MetaDataBase::dumpToLog() const { status_t MetaDataBase::writeToParcel(Parcel &parcel) { status_t ret; + std::lock_guard guard(mInternalData->mLock); size_t numItems = mInternalData->mItems.size(); ret = parcel.writeUint32(uint32_t(numItems)); if (ret) {