mm-video-v4l2: venc: Use client allocated memory if available

IL client may free the buffer and calls for free buffer on IL
component to free the buffer header. It may happen that the IL
component may reject the free buffer due to various reasons.
In such scenario, client might have already freed the memory
allocated by client (such scenario will appear in use buffer
mode of buffer allocation). Now accessing client buffer in
such scenario may lead to use after free vulnerability.
Added a flag to indicate if the client buffer is available to
perform any operation on the client allocated memory. If not,
restrict from doing any operation on client memory.

Bug: 62452543
CRs-Fixed: 2106434
Test: build & boot
Test: cts-tradefed run cts-dev --module CtsMediaTestCases --compatibility:module-arg
CtsMediaTestCases:include-annotation:android.platform.test.annotations.RequiresDevice

Change-Id: If24c36b9a1cca36a2728d3aec8ab589a48a9da35
Author: Vikash Garodia<vgarodia@codeaurora.org>
This commit is contained in:
Santhosh Behara 2017-09-19 12:43:02 +05:30 committed by Dongwon Kang
parent d53750a9db
commit 38641613a6
3 changed files with 10 additions and 1 deletions

View file

@ -703,6 +703,7 @@ class omx_video: public qc_omx_component
uint64_t m_out_bm_count;
uint64_t m_client_out_bm_count;
uint64_t m_client_in_bm_count;
uint64_t m_inp_bm_count;
uint64_t m_flags;
uint64_t m_etb_count;

View file

@ -290,6 +290,7 @@ omx_video::omx_video():
allocate_native_handle(false),
m_out_bm_count(0),
m_client_out_bm_count(0),
m_client_in_bm_count(0),
m_inp_bm_count(0),
m_flags(0),
m_etb_count(0),
@ -2624,6 +2625,7 @@ OMX_ERRORTYPE omx_video::use_input_buffer(
*bufferHdr = (m_inp_mem_ptr + i);
BITMASK_SET(&m_inp_bm_count,i);
BITMASK_SET(&m_client_in_bm_count,i);
(*bufferHdr)->pBuffer = (OMX_U8 *)buffer;
(*bufferHdr)->nSize = sizeof(OMX_BUFFERHEADERTYPE);
@ -3643,6 +3645,10 @@ OMX_ERRORTYPE omx_video::free_buffer(OMX_IN OMX_HANDLETYPE hComp,
nPortIndex = buffer - (OMX_BUFFERHEADERTYPE*)m_out_mem_ptr;
if(BITMASK_PRESENT(&m_client_out_bm_count, nPortIndex))
BITMASK_CLEAR(&m_client_out_bm_count,nPortIndex);
} else if (port == PORT_INDEX_IN) {
nPortIndex = buffer - (meta_mode_enable?meta_buffer_hdr:m_inp_mem_ptr);
if(BITMASK_PRESENT(&m_client_in_bm_count, nPortIndex))
BITMASK_CLEAR(&m_client_in_bm_count,nPortIndex);
}
if (m_state == OMX_StateIdle &&
(BITMASK_PRESENT(&m_flags ,OMX_COMPONENT_LOADING_PENDING))) {
@ -4004,7 +4010,7 @@ OMX_ERRORTYPE omx_video::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE hComp,
auto_lock l(m_buf_lock);
pmem_data_buf = (OMX_U8 *)m_pInput_pmem[nBufIndex].buffer;
if (pmem_data_buf && BITMASK_PRESENT(&m_inp_bm_count, nBufIndex)) {
if (pmem_data_buf && BITMASK_PRESENT(&m_client_in_bm_count, nBufIndex)) {
memcpy (pmem_data_buf, (buffer->pBuffer + buffer->nOffset),
buffer->nFilledLen);
}

View file

@ -2391,6 +2391,8 @@ OMX_ERRORTYPE omx_venc::component_deinit(OMX_IN OMX_HANDLETYPE hComp)
for (i=0; i<m_sInPortDef.nBufferCountActual; i++ ) {
if (BITMASK_PRESENT(&m_inp_bm_count, i)) {
BITMASK_CLEAR(&m_inp_bm_count, i);
if (BITMASK_PRESENT(&m_client_in_bm_count, i))
BITMASK_CLEAR(&m_client_in_bm_count, i);
free_input_buffer (&m_inp_mem_ptr[i]);
}