mirror of
https://github.com/followmsi/android_hardware_qcom_media.git
synced 2024-10-31 22:47:35 +00:00
mm-video-v4l2: venc: Protect buffer from being freed while accessing
Output buffer (in use-buffer mode) has an internal backup ion buffer. The contents of this buffer are deep-copied in client's buffer in the context of VideoEncCallBackThread; while this buffer can be freed in the client thread's context. Check the allocation bitmask before attempting to copy and synchronize these operations by holding a lock Fixes bug 36130225 Security Vulnerability - Heap use after free in libOmxVenc CRs-Fixed: 2053101 Author: Praveen Chavan <pchavan@codeaurora.org> Change-Id: I6141e81d7dbd50bc3601c8df066fd8cbd06b4e0b
This commit is contained in:
parent
4fb2744c19
commit
6ec830ac0c
3 changed files with 16 additions and 1 deletions
|
@ -683,6 +683,7 @@ class omx_video: public qc_omx_component
|
|||
omx_cmd_queue m_opq_meta_q;
|
||||
omx_cmd_queue m_opq_pmem_q;
|
||||
OMX_BUFFERHEADERTYPE meta_buffer_hdr[MAX_NUM_INPUT_BUFFERS];
|
||||
pthread_mutex_t m_buf_lock;
|
||||
|
||||
bool input_flush_progress;
|
||||
bool output_flush_progress;
|
||||
|
|
|
@ -328,6 +328,8 @@ omx_video::omx_video():
|
|||
property_get("ro.board.platform", platform_name, "0");
|
||||
strlcpy(m_platform, platform_name, sizeof(m_platform));
|
||||
#endif
|
||||
|
||||
pthread_mutex_init(&m_buf_lock, NULL);
|
||||
}
|
||||
|
||||
|
||||
|
@ -369,6 +371,8 @@ omx_video::~omx_video()
|
|||
sem_destroy(&m_cmd_lock);
|
||||
DEBUG_PRINT_HIGH("m_etb_count = %" PRIu64 ", m_fbd_count = %" PRIu64, m_etb_count,
|
||||
m_fbd_count);
|
||||
|
||||
pthread_mutex_destroy(&m_buf_lock);
|
||||
DEBUG_PRINT_HIGH("omx_video: Destructor exit");
|
||||
DEBUG_PRINT_HIGH("Exiting OMX Video Encoder ...");
|
||||
}
|
||||
|
@ -2725,6 +2729,7 @@ OMX_ERRORTYPE omx_video::use_output_buffer(
|
|||
return OMX_ErrorBadParameter;
|
||||
}
|
||||
|
||||
auto_lock l(m_buf_lock);
|
||||
if (!m_out_mem_ptr) {
|
||||
output_use_buffer = true;
|
||||
int nBufHdrSize = 0;
|
||||
|
@ -3655,6 +3660,7 @@ OMX_ERRORTYPE omx_video::free_buffer(OMX_IN OMX_HANDLETYPE hComp,
|
|||
nPortIndex, (unsigned int)m_sOutPortDef.nBufferCountActual);
|
||||
if (nPortIndex < m_sOutPortDef.nBufferCountActual &&
|
||||
BITMASK_PRESENT(&m_out_bm_count, nPortIndex)) {
|
||||
auto_lock l(m_buf_lock);
|
||||
// Clear the bit associated with it.
|
||||
BITMASK_CLEAR(&m_out_bm_count,nPortIndex);
|
||||
m_sOutPortDef.bPopulated = OMX_FALSE;
|
||||
|
|
|
@ -2593,10 +2593,17 @@ int omx_venc::async_message_process (void *context, void* message)
|
|||
OMX_COMPONENT_GENERATE_EBD);
|
||||
break;
|
||||
case VEN_MSG_OUTPUT_BUFFER_DONE:
|
||||
{
|
||||
omxhdr = (OMX_BUFFERHEADERTYPE*)m_sVenc_msg->buf.clientdata;
|
||||
OMX_U32 bufIndex = (OMX_U32)(omxhdr - omx->m_out_mem_ptr);
|
||||
|
||||
if ( (omxhdr != NULL) &&
|
||||
((OMX_U32)(omxhdr - omx->m_out_mem_ptr) < omx->m_sOutPortDef.nBufferCountActual)) {
|
||||
(bufIndex < omx->m_sOutPortDef.nBufferCountActual)) {
|
||||
auto_lock l(omx->m_buf_lock);
|
||||
if (BITMASK_ABSENT(&(omx->m_out_bm_count), bufIndex)) {
|
||||
DEBUG_PRINT_ERROR("Recieved FBD for buffer that is already freed !");
|
||||
break;
|
||||
}
|
||||
if (!omx->is_secure_session() && (m_sVenc_msg->buf.len <= omxhdr->nAllocLen)) {
|
||||
omxhdr->nFilledLen = m_sVenc_msg->buf.len;
|
||||
omxhdr->nOffset = m_sVenc_msg->buf.offset;
|
||||
|
@ -2630,6 +2637,7 @@ int omx_venc::async_message_process (void *context, void* message)
|
|||
omx->post_event ((unsigned long)omxhdr,m_sVenc_msg->statuscode,
|
||||
OMX_COMPONENT_GENERATE_FBD);
|
||||
break;
|
||||
}
|
||||
case VEN_MSG_NEED_OUTPUT_BUFFER:
|
||||
//TBD what action needs to be done here??
|
||||
break;
|
||||
|
|
Loading…
Reference in a new issue