DO NOT MERGE mm-video-v4l2: venc: Avoid processing ETBs/FTBs in invalid states
(per the spec) ETB/FTB should not be handled in states other than
Executing, Paused and Idle. This avoids accessing invalid buffers.
Also add a lock to protect the private-buffers from being deleted
while accessing from another thread.
Bug: 27903498
Security Vulnerability - Heap Use-After-Free and Possible LPE in
MediaServer (libOmxVenc problem #3)
Change-Id: I898b42034c0add621d4f9d8e02ca0ed4403d4fd3
diff --git a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
index 7b5afeb..fcc7a0d 100644
--- a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
+++ b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
@@ -2554,6 +2554,8 @@
}
if (index < m_sInPortDef.nBufferCountActual && m_pInput_pmem) {
+ auto_lock l(m_lock);
+
if (m_pInput_pmem[index].fd > 0 && input_use_buffer == false) {
DEBUG_PRINT_LOW("FreeBuffer:: i/p AllocateBuffer case");
if(!secure_session) {
@@ -2561,6 +2563,7 @@
} else {
free(m_pInput_pmem[index].buffer);
}
+ m_pInput_pmem[index].buffer = NULL;
close (m_pInput_pmem[index].fd);
#ifdef USE_ION
free_ion_memory(&m_pInput_ion[index]);
@@ -2574,6 +2577,7 @@
}
if(!secure_session) {
munmap (m_pInput_pmem[index].buffer,m_pInput_pmem[index].size);
+ m_pInput_pmem[index].buffer = NULL;
}
close (m_pInput_pmem[index].fd);
#ifdef USE_ION
@@ -3281,7 +3285,9 @@
unsigned int nBufferIndex ;
DEBUG_PRINT_LOW("ETB: buffer = %p, buffer->pBuffer[%p]", buffer, buffer->pBuffer);
- if (m_state == OMX_StateInvalid) {
+ if (m_state != OMX_StateExecuting &&
+ m_state != OMX_StatePause &&
+ m_state != OMX_StateIdle) {
DEBUG_PRINT_ERROR("ERROR: Empty this buffer in Invalid State");
return OMX_ErrorInvalidState;
}
@@ -3453,9 +3459,13 @@
#endif
{
DEBUG_PRINT_LOW("Heap UseBuffer case, so memcpy the data");
+
+ auto_lock l(m_lock);
pmem_data_buf = (OMX_U8 *)m_pInput_pmem[nBufIndex].buffer;
- memcpy (pmem_data_buf, (buffer->pBuffer + buffer->nOffset),
- buffer->nFilledLen);
+ if (pmem_data_buf) {
+ memcpy (pmem_data_buf, (buffer->pBuffer + buffer->nOffset),
+ buffer->nFilledLen);
+ }
DEBUG_PRINT_LOW("memcpy() done in ETBProxy for i/p Heap UseBuf");
} else if (mUseProxyColorFormat) {
// Gralloc-source buffers with color-conversion
@@ -3511,7 +3521,9 @@
OMX_IN OMX_BUFFERHEADERTYPE* buffer)
{
DEBUG_PRINT_LOW("FTB: buffer->pBuffer[%p]", buffer->pBuffer);
- if (m_state == OMX_StateInvalid) {
+ if (m_state != OMX_StateExecuting &&
+ m_state != OMX_StatePause &&
+ m_state != OMX_StateIdle) {
DEBUG_PRINT_ERROR("ERROR: FTB in Invalid State");
return OMX_ErrorInvalidState;
}