mm-video-v4l2: vdec: Disallow input usebuffer for secure case
In secure mode, input buffer _must_ be allocated by the component to
allocate a secure buffer.
Client-supplied memory via usebuffer does not qualify as secure-memory
and must be rejected. This also avoids accidental heap-overflow while
copying bitstream from user-memory to a smaller-sized secure-payload
(usually the buffer-header itself)
Bug : 30148882
Fixes : Heap Overflow/LPE in MediaServer (libOmxVdec problem #11)
CRs-Fixed: 1071731
Change-Id: Ibbde2d6a9c1f30e8482a533cadb13e44d8dcb2c0
diff --git a/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp b/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
index 1f898a3..05b1e9d 100644
--- a/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
+++ b/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
@@ -4962,6 +4962,12 @@
{
DEBUG_PRINT_LOW("Inside %s, %p", __FUNCTION__, buffer);
OMX_ERRORTYPE eRet = OMX_ErrorNone;
+
+ if (secure_mode) {
+ DEBUG_PRINT_ERROR("use_input_heap_buffers is not allowed in secure mode");
+ return OMX_ErrorUndefined;
+ }
+
if (!m_inp_heap_ptr)
m_inp_heap_ptr = (OMX_BUFFERHEADERTYPE*)
calloc( (sizeof(OMX_BUFFERHEADERTYPE)),
@@ -6212,7 +6218,7 @@
/*for use buffer we need to memcpy the data*/
temp_buffer->buffer_len = buffer->nFilledLen;
- if (input_use_buffer && temp_buffer->bufferaddr) {
+ if (input_use_buffer && temp_buffer->bufferaddr && !secure_mode) {
if (buffer->nFilledLen <= temp_buffer->buffer_len) {
if (arbitrary_bytes) {
memcpy (temp_buffer->bufferaddr, (buffer->pBuffer + buffer->nOffset),buffer->nFilledLen);
diff --git a/msm8996/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp b/msm8996/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp
index 806521f..bf363e8 100644
--- a/msm8996/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp
+++ b/msm8996/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp
@@ -5769,6 +5769,12 @@
{
DEBUG_PRINT_LOW("Inside %s, %p", __FUNCTION__, buffer);
OMX_ERRORTYPE eRet = OMX_ErrorNone;
+
+ if (secure_mode) {
+ DEBUG_PRINT_ERROR("use_input_heap_buffers is not allowed in secure mode");
+ return OMX_ErrorUndefined;
+ }
+
if (!m_inp_heap_ptr)
m_inp_heap_ptr = (OMX_BUFFERHEADERTYPE*)
calloc( (sizeof(OMX_BUFFERHEADERTYPE)),
@@ -7012,7 +7018,7 @@
/*for use buffer we need to memcpy the data*/
temp_buffer->buffer_len = buffer->nFilledLen;
- if (input_use_buffer && temp_buffer->bufferaddr) {
+ if (input_use_buffer && temp_buffer->bufferaddr && !secure_mode) {
if (buffer->nFilledLen <= temp_buffer->buffer_len) {
if (arbitrary_bytes) {
memcpy (temp_buffer->bufferaddr, (buffer->pBuffer + buffer->nOffset),buffer->nFilledLen);
diff --git a/msmcobalt/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp b/msmcobalt/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp
index 7632b38..38087de 100644
--- a/msmcobalt/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp
+++ b/msmcobalt/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp
@@ -5785,6 +5785,12 @@
{
DEBUG_PRINT_LOW("Inside %s, %p", __FUNCTION__, buffer);
OMX_ERRORTYPE eRet = OMX_ErrorNone;
+
+ if (secure_mode) {
+ DEBUG_PRINT_ERROR("use_input_heap_buffers is not allowed in secure mode");
+ return OMX_ErrorUndefined;
+ }
+
if (!m_inp_heap_ptr)
m_inp_heap_ptr = (OMX_BUFFERHEADERTYPE*)
calloc( (sizeof(OMX_BUFFERHEADERTYPE)),
@@ -7032,7 +7038,7 @@
/*for use buffer we need to memcpy the data*/
temp_buffer->buffer_len = buffer->nFilledLen;
- if (input_use_buffer && temp_buffer->bufferaddr) {
+ if (input_use_buffer && temp_buffer->bufferaddr && !secure_mode) {
if (buffer->nFilledLen <= temp_buffer->buffer_len) {
if (arbitrary_bytes) {
memcpy (temp_buffer->bufferaddr, (buffer->pBuffer + buffer->nOffset),buffer->nFilledLen);
