Google Git
Sign in
android / platform / hardware / qcom / media / e6587c9^! / .
commite6587c9dca65ca18161b74dfe87ef64fc9c22a1e[log] [tgz]
authorRay Essick <essick@google.com>Thu Oct 13 09:12:25 2016 -0700
committerRay Essick <essick@google.com>Thu Oct 13 09:12:25 2016 -0700
tree4ad7ea9aabb45a73c4f9b2bfe735317ec4a5e7db
parente051241fbdc0203cfcf4bacb304e7df650490cfa [diff]
mm-video-v4l2: vdec: Disallow changing buffer modes/counts on allocated ports

This is the n-mr1 specific portion of this change; it strips pieces already
provided by an earlier patch.

Changing Count, size, usage-mode (metadata/bytebuffer/native-handle) or
allocation-mode (allocateBuffer/UseBuffer) of buffers should only be
allowed when the port hasn't been allocated yet.
Since buffer-modes determine the payload-size in case of
meta-buffer-mode,
and also determine the memory-base to derive buffer indices from buffer-
headers, letting the client change count/size/mode on a pre-allocated
port
will cause inconsistencies in the size of memory allocated for headers
and
lead to index overflows.

Fix the range checks for the derived buffer-indices to avoid
out-of-bounds
writes.

Also, ensure buffer-mode settings (metadata-mode, native-handle-mode)
are intended for the right ports.

Bug: 29617572 : Heap Overflow/LPE in MediaServer (libOmxVdec problem #8)
Bug: 29982686 :  Memory Write/LPE in MediaServer (libOmxVdec problem #10)
Change-Id: I25dd791e5d9593bba14a8ea50edb3908ba9055f2

diff --git a/msm8996/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp b/msm8996/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp
index 806521f..8ce3339 100644
--- a/msm8996/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp
+++ b/msm8996/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp

@@ -4613,7 +4613,20 @@
                                    }
                                    break;
         case OMX_GoogleAndroidIndexAllocateNativeHandle: {
+
                 AllocateNativeHandleParams* allocateNativeHandleParams = (AllocateNativeHandleParams *) paramData;
+                VALIDATE_OMX_PARAM_DATA(paramData, AllocateNativeHandleParams);
+
+                if (allocateNativeHandleParams->nPortIndex != OMX_CORE_INPUT_PORT_INDEX) {
+                    DEBUG_PRINT_ERROR("Enable/Disable allocate-native-handle allowed only on input port!");
+                    eRet = OMX_ErrorUnsupportedSetting;
+                    break;
+                } else if (m_inp_mem_ptr) {
+                    DEBUG_PRINT_ERROR("Enable/Disable allocate-native-handle is not allowed since Input port is not free !");
+                    eRet = OMX_ErrorInvalidState;
+                    break;
+                }
+
                 if (allocateNativeHandleParams != NULL) {
                     allocate_native_handle = allocateNativeHandleParams->enable;
                 }