mm-video-v4l2: venc: Use client allocated memory if available

IL client may free the buffer and calls for free buffer on IL component to free the buffer header. It may happen that the IL component may reject the free buffer due to various reasons. In such scenario, client might have already freed the memory allocated by client (such scenario will appear in use buffer mode of buffer allocation). Now accessing client buffer in such scenario may lead to use after free vulnerability. Added a flag to indicate if the client buffer is available to perform any operation on the client allocated memory. If not, restrict from doing any operation on client memory. Bug: 62452543 CRs-Fixed: 2106434 Test: build & boot Test: cts-tradefed run cts-dev --module CtsMediaTestCases --compatibility:module-arg CtsMediaTestCases:include-annotation:android.platform.test.annotations.RequiresDevice Change-Id: If24c36b9a1cca36a2728d3aec8ab589a48a9da35 Author: Vikash Garodia<vgarodia@codeaurora.org>
2024-10-31 22:47:35 +00:00 · 2017-09-19 12:43:02 +05:30 · 2017-09-19 12:43:02 +05:30 · 38641613a6
commit 38641613a6
parent d53750a9db
3 changed files with 10 additions and 1 deletions
--- a/msm8998/mm-video-v4l2/vidc/venc/inc/omx_video_base.h
+++ b/msm8998/mm-video-v4l2/vidc/venc/inc/omx_video_base.h
@ -703,6 +703,7 @@ class omx_video: public qc_omx_component

        uint64_t m_out_bm_count;
        uint64_t m_client_out_bm_count;
+        uint64_t m_client_in_bm_count;
        uint64_t m_inp_bm_count;
        uint64_t m_flags;
        uint64_t m_etb_count;
--- a/msm8998/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
+++ b/msm8998/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
@ -290,6 +290,7 @@ omx_video::omx_video():
    allocate_native_handle(false),
    m_out_bm_count(0),
    m_client_out_bm_count(0),
+    m_client_in_bm_count(0),
    m_inp_bm_count(0),
    m_flags(0),
    m_etb_count(0),
@ -2624,6 +2625,7 @@ OMX_ERRORTYPE  omx_video::use_input_buffer(

        *bufferHdr = (m_inp_mem_ptr + i);
        BITMASK_SET(&m_inp_bm_count,i);
+        BITMASK_SET(&m_client_in_bm_count,i);

        (*bufferHdr)->pBuffer           = (OMX_U8 *)buffer;
        (*bufferHdr)->nSize             = sizeof(OMX_BUFFERHEADERTYPE);
@ -3643,6 +3645,10 @@ OMX_ERRORTYPE  omx_video::free_buffer(OMX_IN OMX_HANDLETYPE         hComp,
        nPortIndex = buffer - (OMX_BUFFERHEADERTYPE*)m_out_mem_ptr;
        if(BITMASK_PRESENT(&m_client_out_bm_count, nPortIndex))
            BITMASK_CLEAR(&m_client_out_bm_count,nPortIndex);
+    } else if (port == PORT_INDEX_IN) {
+        nPortIndex = buffer - (meta_mode_enable?meta_buffer_hdr:m_inp_mem_ptr);
+        if(BITMASK_PRESENT(&m_client_in_bm_count, nPortIndex))
+            BITMASK_CLEAR(&m_client_in_bm_count,nPortIndex);
    }
    if (m_state == OMX_StateIdle &&
            (BITMASK_PRESENT(&m_flags ,OMX_COMPONENT_LOADING_PENDING))) {
@ -4004,7 +4010,7 @@ OMX_ERRORTYPE  omx_video::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE  hComp,

        auto_lock l(m_buf_lock);
        pmem_data_buf = (OMX_U8 *)m_pInput_pmem[nBufIndex].buffer;
-        if (pmem_data_buf && BITMASK_PRESENT(&m_inp_bm_count, nBufIndex)) {
+        if (pmem_data_buf && BITMASK_PRESENT(&m_client_in_bm_count, nBufIndex)) {
            memcpy (pmem_data_buf, (buffer->pBuffer + buffer->nOffset),
                    buffer->nFilledLen);
        }
--- a/msm8998/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp
+++ b/msm8998/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp
@ -2391,6 +2391,8 @@ OMX_ERRORTYPE  omx_venc::component_deinit(OMX_IN OMX_HANDLETYPE hComp)
        for (i=0; i<m_sInPortDef.nBufferCountActual; i++ ) {
            if (BITMASK_PRESENT(&m_inp_bm_count, i)) {
                BITMASK_CLEAR(&m_inp_bm_count, i);
+                if (BITMASK_PRESENT(&m_client_in_bm_count, i))
+                    BITMASK_CLEAR(&m_client_in_bm_count, i);
                free_input_buffer (&m_inp_mem_ptr[i]);
            }