Protect buffer access for below scenarios:
*Increase the scope of buf_lock in free_buffer to avoid access
of freed buffer for both input and output buffers. Also, add check
before output buffer access.
*Disallow allocate buffer mode after client has called use buffer.
Allocate additional 512 bytes of memory for input buffers on top of
allocation size as per hardware requirement.
Bug: 64340487
Test: ran POC on bullhead/nyc-dev
Change-Id: Iabbb2d7e00ff97bfc47b04386feec66976fca99a
(cherry picked from commit 83aeab22d1)
A kernel variable was to be defined as unsigned long but
it is mistakenly defined as unsigned only, the space is
missing after long. This bug is silent because unsigned
is also a valid data type by itself.
Corresponding to kernel fix, similar correction is done
in userspace code.
Change-Id: Ie58f275149dc9c85553f75e02594113b1a03ddcf
CRs-fixed: 556771
Enumerate and advertise constrained profiles for AVC encoder.
Inorder to have backward compatability advertise exisisting as well
as newly added constants.
Keep legacy constants for getters as Android media framework does not
use them.
Bug: 65043406
Change-Id: I6fe88a505005731c4891aa1a7c1f627c65f01861
Unmap was being called with a modified address resulting in unmap
failure. Call unmap with the exact address which we get from map
call.
CRs-Fixed: 2056867
Bug: 62385648
Author: abdullahanam@codeaurora.org
Change-Id: I2b7eaec8c8224188f910501b5cb86402a722dfaf
Output buffer(in use-buffer mode) has an internal backup ion buffer.
The contents of this buffer are deep-copied in client's buffer in
the context of VideoEncCallBackThread; while this buffer can be
freed in the client thread's context.
Check the allocation bitmask before attempting to copy and
synchronize these operations by holding a lock
Fixes bug 36130225
Security Vulnerability - Heap use after free in libOmxVenc
CRs-Fixed: 2053101
Bug: 36130225
Change-Id: If5e89703b2dec0aee8acb7e897e9df94227af3f3
Author: Praveen Chavan<pchavan@codeaurora.org>
- Meta mode for sending native handles from camera
should be supported along with rest of the modes.
BUG: 34516149
Test: Camera CTS API1 and API2 using legacy Hal1 module
Change-Id: Ia9dc5936b0b5a2792b1286b979030f0f5b6104a1
Moved msm8974/mm-core header files from inc/ to inc/mm-core/omxcore for exporting.
Moved msm8974/mm-video-v4l2/DivxDrmDecrypt headers to subfolder for exporting.
Moved msm8974/libstagefrighthw headers to include/ folder for exporting
In msm8974/mm-core, inc/ has newer OMX_* headers than inc/mm-core/omxcore and
frameworks/native/include/media/openmax. Updating these headers will be
handled in a separate CL.
Test: Add lib to LOCAL_EXPORT_SHARED_LIBRARIES
Change-Id: I4cdfe3085a459abdbd3de491eed10cdceadc4a85
In secure mode, input buffer _must_ be allocated by the component to
allocate a secure buffer.
Client-supplied memory via usebuffer does not qualify as secure-memory
and must be rejected. This also avoids accidental heap-overflow while
copying bitstream from user-memory to a smaller-sized secure-payload
(usually the buffer-header itself)
Bug : 30148882
Fixes : Heap Overflow/LPE in MediaServer (libOmxVdec problem #11)
CRs-Fixed: 1071731
Change-Id: Ibbde2d6a9c1f30e8482a533cadb13e44d8dcb2c0
Count and size negotiation of port-buffers should only be allowed when
the port hasn't been allocated yet.
Letting the client change count/size on a pre-allocated port will
cause inconsistencies in the count/size of memory allocated for
headers and internal lists.
Fix resetting of buffer-base (m_inp_mem_ptr) when all buffers are
freed, for all the buffer-modes.
Bug: 29421682
Fixes: Local Privilege Escalation in MediaServer (libOmxVenc problem #10)
Change-Id: I9abead969bc3c908e6db9beb6316fd572dac25f7
Changing Count, size, usage-mode (metadata/bytebuffer/native-handle) or
allocation-mode (allocateBuffer/UseBuffer) of buffers should only be
allowed when the port hasn't been allocated yet.
Since buffer-modes determine the payload-size in case of meta-buffer-mode,
and also determine the memory-base to derive buffer indices from buffer-
headers, letting the client change count/size/mode on a pre-allocated port
will cause inconsistencies in the size of memory allocated for headers and
lead to index overflows.
Fix the range checks for the derived buffer-indices to avoid out-of-bounds
writes.
Also, ensure buffer-mode settings (metadata-mode, native-handle-mode)
are intended for the right ports.
Bug: 29617572 : Heap Overflow/LPE in MediaServer (libOmxVdec problem #8)
Bug: 29982686 : Memory Write/LPE in MediaServer (libOmxVdec problem #10)
Change-Id: I619636a48779580c247bffb3752c3e4025b46542
Implement OMX_IndexParamAndroidVideoTemporalLayers to expose
configuration of temporal-layered encoding to client.
Layer-wise bitrate support and changing layer-count dynamically
is not supported.
Bug: 27596987
Change-Id: Ib32e7aea22e2cbaf78a903561b67de7d14ed57e5
HEVC's main config param now supports key-frame-interval.
Use this information to configure the intra-period. i.e
configure number of P-Frames (assuming no B-frames)
Bug: 29494247
CRs-Fixed: 1023504
Change-Id: I3d2f0df3a5ab3b7d659ae58ae6f4df5898006934
Heap pointers do not point to user virtual addresses in case
of secure session.
Set them to NULL and add checks to avoid accesing them
Bug: 28815329
Bug: 28920116
Change-Id: I94fd5808e753b58654d65e175d3857ef46ffba26
(per the spec) ETB/FTB should not be handled in states other than
Executing, Paused and Idle. This avoids accessing invalid buffers.
Also add a lock to protect the private-buffers from being deleted
while accessing from another thread.
Bug: 27903498
Security Vulnerability - Heap Use-After-Free and Possible LPE in
MediaServer (libOmxVenc problem #3)
Change-Id: I898b42034c0add621d4f9d8e02ca0ed4403d4fd3
(per the spec) ETB/FTB should not be handled in states other than
Executing, Paused and Idle. This avoids accessing invalid buffers.
Also add a lock to protect the private-buffers from being deleted
while accessing from another thread.
Bug: 27890802
Security Vulnerability - Heap Use-After-Free and Possible LPE in
MediaServer (libOmxVdec problem #6)
Change-Id: Iaac2e383cd53cf9cf8042c9ed93ddc76dba3907e
Using strncmp with the strlen of source string can result in
false positives when it is a substring of the passed string.
Eg: strncmp("OMX.extn.x", "OMX.extn.xyz", strlen(OMX.extn.x))
will result in a match.
Use strcmp instead.
Bug: 27344524
Change-Id: I68839f2bea8b97a31f43885538e9dce51aa8c1b4
This config (used to set header offline) is no longer used.
Remove handling this config since it uses non-process-safe ways to
pass memory pointers.
Fixes: Security Vulnerability - Segfault in MediaServer (libOmxVdec problem #2)
Bug: 27475409
Change-Id: I7a535a3da485cbe83cf4605a05f9faf70dcca42f
Allow only up to 64 buffers on input/output port (since the
allocation bitmap is only 64-wide).
Do not allow changing the actual buffer count while still
holding allocation (Client can technically negotiate buffer
count on a free/disabled port)
Add safety checks to free only as many buffers were allocated.
Fixes: Security Vulnerability - Heap Overflow and Possible
Local Privilege Escalation in MediaServer (libOmxVdec problem #3)
Bug: 27532282 27661749
Change-Id: I06dd680d43feaef3efdc87311e8a6703e234b523
Allow only up to 64 buffers on input/output port (since the
allocation bitmap is only 64-wide).
Add safety checks to free only as many buffers were allocated.
Fixes: Heap Overflow and Possible Local Privilege Escalation in
MediaServer (libOmxVenc problem)
Bug: 27532497
Change-Id: I31e576ef9dc542df73aa6b0ea113d72724b50fc6
Restore missing buffer-index calculation, without which,
native-handles were not being saved properly and NULL handles
got sent out to gralloc::setMetadata
A bad buffer index can cause the OMX component to make an out of
bound read/write access on the native_buffer array and cause a
crash. Add range check to fix the issue.
Bug: 25976027
Change-Id: I684a501a1a71898b5c1c80566125459a5972c959
Check the sanity of config/param strcuture objects
passed to get/set _ config()/parameter() methods.
Bug: 27533317
Security Vulnerability in MediaServer
omx_vdec::get_config() Can lead to arbitrary write
Change-Id: I6c3243afe12055ab94f1a1ecf758c10e88231809
1) Move existing HAL to msm8974/
2) Import msm8996 HAL from LA.HB.1.1.2_rb1.12
3) Modify Makefiles to remove kernel dependencies and
fix for new directory structure
4) Modify top level makefile for new directory structure
Top commits from LA.HB.1.1.2_rb1.12 included in this commit:
db7937a mm-video: vidc: memset struct v4l2_format prior to S_FMT
d77ab10 Merge "mm-video-v4l2: vidc: Do not queue output buffer if flush is in progress"
8895985 mm-video-v4l2: vidc: vdec: Add property to disable UBWC for OPB
675af75 Merge "mm-video: vidc: Communicate the right colorformat to the driver"
dd79df2 Merge "mm-video: vidc: Reliably stop the message thread"
c3e8618 Merge "mm-video-v4l2: vidc: venc: Fix B-Frame handling"
755ec08 mm-video-v4l2: vidc: Do not queue output buffer if flush is in progress
3ac8410 mm-video: vidc: Reliably stop the message thread
b73dcba Merge "mm-video-v4l2: vidc: venc: Bug fixes for VZIP"
8358109 Merge "mm-video-v4l2: vdec: fix picture type decode mode return status"
BUG=27420204
Signed-off-by: Patrick Tjin <pattjin@google.com>
Change-Id: I71aa0190e48b332268334677894b0ad7c606296b
followmsi
Santhosh Behara
Rashed Abdel-Tawab
Deepak Verma
Lajos Molnar
Mathias Agopian
Vijay Venkatraman
TreeHugger Robot
Emilian Peev
Praveen Chavan
Marco Nelissen
Wonsik Kim
Hangyu Kuang
Arun Menon
Ajay Dudani
Steve Pfetsch
Patrick Tjin