DO NOT MERGE mm-video-v4l2: venc: add checks before accessing heap pointers
Heap pointers do not point to user virtual addresses in case
of secure session.
Set them to NULL and add checks to avoid accesing them
Bug: 28815329
Bug: 28920116
Change-Id: I94fd5808e753b58654d65e175d3857ef46ffba26
diff --git a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
index 815ab28..59860ed 100644
--- a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
+++ b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
@@ -80,7 +80,6 @@
#define SZ_4K 0x1000
#define SZ_1M 0x100000
-#define SECURE_BUFPTR 0xDEADBEEF
typedef struct OMXComponentCapabilityFlagsType {
////////////////// OMX COMPONENT CAPABILITY RELATED MEMBERS
@@ -2252,7 +2251,7 @@
m_pInput_pmem[i].size = m_sInPortDef.nBufferSize;
m_pInput_pmem[i].offset = 0;
- m_pInput_pmem[i].buffer = (OMX_U8 *)SECURE_BUFPTR;
+ m_pInput_pmem[i].buffer = NULL;
if(!secure_session) {
m_pInput_pmem[i].buffer = (unsigned char *)mmap(
NULL,m_pInput_pmem[i].size,PROT_READ|PROT_WRITE,
@@ -2260,6 +2259,7 @@
if (m_pInput_pmem[i].buffer == MAP_FAILED) {
DEBUG_PRINT_ERROR("ERROR: mmap() Failed");
+ m_pInput_pmem[i].buffer = NULL;
close(m_pInput_pmem[i].fd);
#ifdef USE_ION
free_ion_memory(&m_pInput_ion[i]);
@@ -2443,7 +2443,7 @@
m_pOutput_pmem[i].size = m_sOutPortDef.nBufferSize;
m_pOutput_pmem[i].offset = 0;
- m_pOutput_pmem[i].buffer = (OMX_U8 *)SECURE_BUFPTR;
+ m_pOutput_pmem[i].buffer = NULL;
if(!secure_session) {
#ifdef _MSM8974_
m_pOutput_pmem[i].buffer = (unsigned char *)mmap(NULL,
@@ -2456,6 +2456,7 @@
#endif
if (m_pOutput_pmem[i].buffer == MAP_FAILED) {
DEBUG_PRINT_ERROR("ERROR: mmap() Failed");
+ m_pOutput_pmem[i].buffer = NULL;
close(m_pOutput_pmem[i].fd);
#ifdef USE_ION
free_ion_memory(&m_pOutput_ion[i]);
@@ -2854,13 +2855,14 @@
m_pInput_pmem[i].size = m_sInPortDef.nBufferSize;
m_pInput_pmem[i].offset = 0;
- m_pInput_pmem[i].buffer = (OMX_U8 *)SECURE_BUFPTR;
+ m_pInput_pmem[i].buffer = NULL;
if(!secure_session) {
m_pInput_pmem[i].buffer = (unsigned char *)mmap(NULL,
m_pInput_pmem[i].size,PROT_READ|PROT_WRITE,
MAP_SHARED,m_pInput_pmem[i].fd,0);
if (m_pInput_pmem[i].buffer == MAP_FAILED) {
DEBUG_PRINT_ERROR("ERROR: mmap FAILED= %d", errno);
+ m_pInput_pmem[i].buffer = NULL;
close(m_pInput_pmem[i].fd);
#ifdef USE_ION
free_ion_memory(&m_pInput_ion[i]);
@@ -2871,6 +2873,10 @@
//This should only be used for passing reference to source type and
//secure handle fd struct native_handle_t*
m_pInput_pmem[i].buffer = malloc(sizeof(OMX_U32) + sizeof(native_handle_t*));
+ if (m_pInput_pmem[i].buffer == NULL) {
+ DEBUG_PRINT_ERROR("%s: failed to allocate native-handle", __func__);
+ return OMX_ErrorInsufficientResources;
+ }
(*bufferHdr)->nAllocLen = sizeof(OMX_U32) + sizeof(native_handle_t*);
}
@@ -3016,7 +3022,7 @@
m_pOutput_pmem[i].size = m_sOutPortDef.nBufferSize;
m_pOutput_pmem[i].offset = 0;
- m_pOutput_pmem[i].buffer = (OMX_U8 *)SECURE_BUFPTR;
+ m_pOutput_pmem[i].buffer = NULL;
if(!secure_session) {
#ifdef _MSM8974_
m_pOutput_pmem[i].buffer = (unsigned char *)mmap(NULL,
@@ -3029,6 +3035,7 @@
#endif
if (m_pOutput_pmem[i].buffer == MAP_FAILED) {
DEBUG_PRINT_ERROR("ERROR: MMAP_FAILED in o/p alloc buffer");
+ m_pOutput_pmem[i].buffer = NULL;
close (m_pOutput_pmem[i].fd);
#ifdef USE_ION
free_ion_memory(&m_pOutput_ion[i]);
@@ -3040,6 +3047,10 @@
//This should only be used for passing reference to source type and
//secure handle fd struct native_handle_t*
m_pOutput_pmem[i].buffer = malloc(sizeof(OMX_U32) + sizeof(native_handle_t*));
+ if (m_pOutput_pmem[i].buffer == NULL) {
+ DEBUG_PRINT_ERROR("%s: Failed to allocate native-handle", __func__);
+ return OMX_ErrorInsufficientResources;
+ }
(*bufferHdr)->nAllocLen = sizeof(OMX_U32) + sizeof(native_handle_t*);
native_handle_t *handle = native_handle_create(1, 0);
handle->data[0] = m_pOutput_pmem[i].fd;
diff --git a/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp b/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp
index 32d8c0a..6751e3b 100644
--- a/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp
+++ b/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp
@@ -2198,7 +2198,7 @@
omxhdr->nFlags = m_sVenc_msg->buf.flags;
/*Use buffer case*/
- if (omx->output_use_buffer && !omx->m_use_output_pmem) {
+ if (omx->output_use_buffer && !omx->m_use_output_pmem && !omx->is_secure_session()) {
DEBUG_PRINT_LOW("memcpy() for o/p Heap UseBuffer");
memcpy(omxhdr->pBuffer,
(m_sVenc_msg->buf.ptrbuffer),
diff --git a/mm-video-v4l2/vidc/venc/src/video_encoder_device_v4l2.cpp b/mm-video-v4l2/vidc/venc/src/video_encoder_device_v4l2.cpp
index 32d73b5..c4eb3d8 100644
--- a/mm-video-v4l2/vidc/venc/src/video_encoder_device_v4l2.cpp
+++ b/mm-video-v4l2/vidc/venc/src/video_encoder_device_v4l2.cpp
@@ -681,6 +681,11 @@
int venc_dev::venc_output_log_buffers(const char *buffer_addr, int buffer_len)
{
+ if (venc_handle->is_secure_session()) {
+ DEBUG_PRINT_ERROR("logging secure output buffers is not allowed!");
+ return -1;
+ }
+
if (!m_debug.outfile) {
int size = 0;
if(m_sVenc_cfg.codectype == V4L2_PIX_FMT_MPEG4) {
@@ -764,6 +769,11 @@
}
int venc_dev::venc_input_log_buffers(OMX_BUFFERHEADERTYPE *pbuffer, int fd, int plane_offset) {
+ if (venc_handle->is_secure_session()) {
+ DEBUG_PRINT_ERROR("logging secure input buffers is not allowed!");
+ return -1;
+ }
+
if (!m_debug.infile) {
int size = snprintf(m_debug.infile_name, PROPERTY_VALUE_MAX, "%s/input_enc_%lu_%lu_%p.yuv",
m_debug.log_loc, m_sVenc_cfg.input_width, m_sVenc_cfg.input_height, this);
