mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
082bc48c32
https://review.lineageos.org/q/topic:P_asb_2022-05 https://review.lineageos.org/q/topic:P_asb_2022-06 https://review.lineageos.org/q/topic:P_asb_2022-07 https://review.lineageos.org/q/topic:P_asb_2022-08 https://review.lineageos.org/q/topic:P_asb_2022-09 https://review.lineageos.org/q/topic:P_asb_2022-10 https://review.lineageos.org/q/topic:P_asb_2022-11 https://review.lineageos.org/q/topic:P_asb_2022-12 https://review.lineageos.org/q/topic:P_asb_2023-01 https://review.lineageos.org/q/topic:P_asb_2023-02 https://review.lineageos.org/q/topic:P_asb_2023-03 https://review.lineageos.org/q/topic:P_asb_2023-04 https://review.lineageos.org/q/topic:P_asb_2023-05 https://review.lineageos.org/q/topic:P_asb_2023-06 https://review.lineageos.org/q/topic:P_asb_2023-07 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_freetype/+/361250 https://review.lineageos.org/q/topic:P_asb_2023-08 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_freetype/+/364606 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/365328 https://review.lineageos.org/q/topic:P_asb_2023-09 https://review.lineageos.org/q/topic:P_asb_2023-10 https://review.lineageos.org/q/topic:P_asb_2023-11 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/374916 https://review.lineageos.org/q/topic:P_asb_2023-12 https://review.lineageos.org/q/topic:P_asb_2024-01 https://review.lineageos.org/q/topic:P_asb_2024-02 https://review.lineageos.org/q/topic:P_asb_2024-03 https://review.lineageos.org/q/topic:P_asb_2024-04 Signed-off-by: Tavi <tavi@divested.dev>
107 lines
3.9 KiB
Diff
107 lines
3.9 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Toni Heidenreich <tonihei@google.com>
|
|
Date: Wed, 6 Sep 2023 12:49:33 +0000
|
|
Subject: [PATCH] httplive: fix use-after-free
|
|
|
|
Implement a mutex to ensure secure multi-threaded
|
|
access to the KeyedVector in MetaDataBase.
|
|
Concurrent access by different threads can lead
|
|
to accessing the wrong memory location due to
|
|
potential changes in the vector
|
|
|
|
Bug: 298057702
|
|
Test: HTTP Live Streaming test
|
|
(cherry picked from https://partner-android-review.googlesource.com/q/commit:a2dfb31957a9d5358d0219a0eda7dcb5b0fff5fe)
|
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:90fb4ca425444429ada6ce0de1c13d35829bc196)
|
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3c1d9613ef64e01d2e81c4aa44c90dcd8ca958b9)
|
|
Merged-In: I46b05c85d9c39f4ce549efc160c08a0646c9fd0a
|
|
Change-Id: I46b05c85d9c39f4ce549efc160c08a0646c9fd0a
|
|
|
|
Change-Id: Ibad99da2ee0d9259844c32f954e6db290043e45b
|
|
---
|
|
media/libmediaextractor/MetaDataBase.cpp | 11 +++++++++++
|
|
1 file changed, 11 insertions(+)
|
|
|
|
diff --git a/media/libmediaextractor/MetaDataBase.cpp b/media/libmediaextractor/MetaDataBase.cpp
|
|
index bfea6f1537..a3c623e354 100644
|
|
--- a/media/libmediaextractor/MetaDataBase.cpp
|
|
+++ b/media/libmediaextractor/MetaDataBase.cpp
|
|
@@ -24,6 +24,8 @@
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
|
|
+#include <mutex>
|
|
+
|
|
#include <media/stagefright/foundation/ADebug.h>
|
|
#include <media/stagefright/foundation/AString.h>
|
|
#include <media/stagefright/foundation/hexdump.h>
|
|
@@ -75,6 +77,7 @@ struct MetaDataBase::Rect {
|
|
|
|
|
|
struct MetaDataBase::MetaDataInternal {
|
|
+ std::mutex mLock;
|
|
KeyedVector<uint32_t, MetaDataBase::typed_data> mItems;
|
|
};
|
|
|
|
@@ -99,10 +102,12 @@ MetaDataBase::~MetaDataBase() {
|
|
}
|
|
|
|
void MetaDataBase::clear() {
|
|
+ std::lock_guard<std::mutex> guard(mInternalData->mLock);
|
|
mInternalData->mItems.clear();
|
|
}
|
|
|
|
bool MetaDataBase::remove(uint32_t key) {
|
|
+ std::lock_guard<std::mutex> guard(mInternalData->mLock);
|
|
ssize_t i = mInternalData->mItems.indexOfKey(key);
|
|
|
|
if (i < 0) {
|
|
@@ -249,6 +254,7 @@ bool MetaDataBase::setData(
|
|
uint32_t key, uint32_t type, const void *data, size_t size) {
|
|
bool overwrote_existing = true;
|
|
|
|
+ std::lock_guard<std::mutex> guard(mInternalData->mLock);
|
|
ssize_t i = mInternalData->mItems.indexOfKey(key);
|
|
if (i < 0) {
|
|
typed_data item;
|
|
@@ -266,6 +272,7 @@ bool MetaDataBase::setData(
|
|
|
|
bool MetaDataBase::findData(uint32_t key, uint32_t *type,
|
|
const void **data, size_t *size) const {
|
|
+ std::lock_guard<std::mutex> guard(mInternalData->mLock);
|
|
ssize_t i = mInternalData->mItems.indexOfKey(key);
|
|
|
|
if (i < 0) {
|
|
@@ -280,6 +287,7 @@ bool MetaDataBase::findData(uint32_t key, uint32_t *type,
|
|
}
|
|
|
|
bool MetaDataBase::hasData(uint32_t key) const {
|
|
+ std::lock_guard<std::mutex> guard(mInternalData->mLock);
|
|
ssize_t i = mInternalData->mItems.indexOfKey(key);
|
|
|
|
if (i < 0) {
|
|
@@ -426,6 +434,7 @@ static void MakeFourCCString(uint32_t x, char *s) {
|
|
|
|
String8 MetaDataBase::toString() const {
|
|
String8 s;
|
|
+ std::lock_guard<std::mutex> guard(mInternalData->mLock);
|
|
for (int i = mInternalData->mItems.size(); --i >= 0;) {
|
|
int32_t key = mInternalData->mItems.keyAt(i);
|
|
char cc[5];
|
|
@@ -440,6 +449,7 @@ String8 MetaDataBase::toString() const {
|
|
}
|
|
|
|
void MetaDataBase::dumpToLog() const {
|
|
+ std::lock_guard<std::mutex> guard(mInternalData->mLock);
|
|
for (int i = mInternalData->mItems.size(); --i >= 0;) {
|
|
int32_t key = mInternalData->mItems.keyAt(i);
|
|
char cc[5];
|
|
@@ -451,6 +461,7 @@ void MetaDataBase::dumpToLog() const {
|
|
|
|
status_t MetaDataBase::writeToParcel(Parcel &parcel) {
|
|
status_t ret;
|
|
+ std::lock_guard<std::mutex> guard(mInternalData->mLock);
|
|
size_t numItems = mInternalData->mItems.size();
|
|
ret = parcel.writeUint32(uint32_t(numItems));
|
|
if (ret) {
|