mm-video-v4l2: Squash below changes
mm-video-v4l2: Protect buffer access and increase input buffer size
Protect buffer access for below scenarios:
*Increase the scope of buf_lock in free_buffer to avoid access
of freed buffer for both input and output buffers. Also, add check
before output buffer access.
*Disallow allocate buffer mode after client has called use buffer.
Allocate additional 512 bytes of memory for input buffers on top of
allocation size as per hardware requirement.
mm-video-v4l2: correct the buffer error flag setting
The buffer error flag setting is corrected in free_buffer()
call
Bug: 64340487
Test: poc from bug
Change-Id: I32d6cb7f61b873edd567881d1bf3e620cd78e715
diff --git a/msm8998/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h b/msm8998/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h
index 8ae35a4..c0660fd 100644
--- a/msm8998/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h
+++ b/msm8998/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h
@@ -1,5 +1,5 @@
/*--------------------------------------------------------------------------
-Copyright (c) 2010 - 2017, The Linux Foundation. All rights reserved.
+Copyright (c) 2010 - 2018, The Linux Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
@@ -1286,6 +1286,7 @@
// list of extensions is not mutable after initialization
const VendorExtensionStore mVendorExtensionStore;
+ bool m_buffer_error;
};
#ifdef _MSM8974_
diff --git a/msm8998/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp b/msm8998/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp
index 8e0b014..b61f49b 100644
--- a/msm8998/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp
+++ b/msm8998/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp
@@ -1,5 +1,5 @@
/*--------------------------------------------------------------------------
-Copyright (c) 2010 - 2017, The Linux Foundation. All rights reserved.
+Copyright (c) 2010 - 2018, The Linux Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
@@ -667,7 +667,8 @@
current_perf_level(V4L2_CID_MPEG_VIDC_PERF_LEVEL_NOMINAL),
secure_scaling_to_non_secure_opb(false),
m_force_compressed_for_dpb(true),
- m_is_display_session(false)
+ m_is_display_session(false),
+ m_buffer_error(false)
{
m_pipe_in = -1;
m_pipe_out = -1;
@@ -5995,6 +5996,7 @@
eRet = allocate_output_headers();
if (eRet == OMX_ErrorNone)
eRet = allocate_extradata();
+ output_use_buffer = true;
}
if (eRet == OMX_ErrorNone) {
@@ -6504,7 +6506,6 @@
index = bufferHdr - m_inp_mem_ptr;
DEBUG_PRINT_LOW("Free Input Buffer index = %d",index);
- auto_lock l(buf_lock);
bufferHdr->pInputPortPrivate = NULL;
if (index < drv_ctx.ip_buf.actualcount && drv_ctx.ptr_inputbuffer) {
@@ -6730,6 +6731,7 @@
unsigned i = 0;
unsigned char *buf_addr = NULL;
int pmem_fd = -1, ret = 0;
+ unsigned int align_size = 0;
(void) hComp;
(void) port;
@@ -6804,8 +6806,10 @@
int rc;
DEBUG_PRINT_LOW("Allocate input Buffer");
#ifdef USE_ION
+ align_size = drv_ctx.ip_buf.buffer_size + 512;
+ align_size = (align_size + drv_ctx.ip_buf.alignment - 1)&(~(drv_ctx.ip_buf.alignment - 1));
drv_ctx.ip_buf_ion_info[i].ion_device_fd = alloc_map_ion_memory(
- drv_ctx.ip_buf.buffer_size,drv_ctx.op_buf.alignment,
+ align_size, drv_ctx.op_buf.alignment,
&drv_ctx.ip_buf_ion_info[i].ion_alloc_data,
&drv_ctx.ip_buf_ion_info[i].fd_ion_data, secure_mode ?
SECURE_FLAGS_INPUT_BUFFER : 0);
@@ -7361,6 +7365,10 @@
eRet = allocate_input_buffer(hComp,bufferHdr,port,appData,bytes);
}
} else if (port == OMX_CORE_OUTPUT_PORT_INDEX) {
+ if (output_use_buffer) {
+ DEBUG_PRINT_ERROR("Allocate output buffer not allowed after use buffer");
+ return OMX_ErrorBadParameter;
+ }
eRet = client_buffers.allocate_buffers_color_convert(hComp,bufferHdr,port,
appData,bytes);
} else {
@@ -7421,6 +7429,7 @@
(void) hComp;
DEBUG_PRINT_LOW("In for decoder free_buffer");
+ auto_lock l(buf_lock);
if (m_state == OMX_StateIdle &&
(BITMASK_PRESENT(&m_flags ,OMX_COMPONENT_LOADING_PENDING))) {
DEBUG_PRINT_LOW(" free buffer while Component in Loading pending");
@@ -7437,7 +7446,7 @@
post_event(OMX_EventError,
OMX_ErrorPortUnpopulated,
OMX_COMPONENT_GENERATE_EVENT);
-
+ m_buffer_error = true;
return OMX_ErrorIncorrectStateOperation;
} else if (m_state != OMX_StateInvalid) {
DEBUG_PRINT_ERROR("Invalid state to free buffer,port lost Buffers");
@@ -7558,6 +7567,7 @@
BITMASK_CLEAR((&m_flags),OMX_COMPONENT_LOADING_PENDING);
post_event(OMX_CommandStateSet, OMX_StateLoaded,
OMX_COMPONENT_GENERATE_EVENT);
+ m_buffer_error = false;
}
}
return eRet;
@@ -7729,6 +7739,11 @@
if (!temp_buffer || (temp_buffer - drv_ctx.ptr_inputbuffer) > (int)drv_ctx.ip_buf.actualcount) {
return OMX_ErrorBadParameter;
}
+
+ if (BITMASK_ABSENT(&m_inp_bm_count, nPortIndex) || m_buffer_error) {
+ DEBUG_PRINT_ERROR("ETBProxy: ERROR: invalid buffer, nPortIndex %u", nPortIndex);
+ return OMX_ErrorBadParameter;
+ }
/* If its first frame, H264 codec and reject is true, then parse the nal
and get the profile. Based on this, reject the clip playback */
if (first_frame == 0 && codec_type_parse == CODEC_TYPE_H264 &&
@@ -8030,6 +8045,7 @@
struct vdec_bufferpayload *ptr_outputbuffer = NULL;
struct vdec_output_frameinfo *ptr_respbuffer = NULL;
+ auto_lock l(buf_lock);
nPortIndex = buffer-((OMX_BUFFERHEADERTYPE *)client_buffers.get_il_buf_hdr());
if (bufferAdd == NULL || nPortIndex >= drv_ctx.op_buf.actualcount) {
@@ -8038,6 +8054,10 @@
return OMX_ErrorBadParameter;
}
+ if (BITMASK_ABSENT(&m_out_bm_count, nPortIndex) || m_buffer_error) {
+ DEBUG_PRINT_ERROR("FTBProxy: ERROR: invalid buffer, nPortIndex %u", nPortIndex);
+ return OMX_ErrorBadParameter;
+ }
DEBUG_PRINT_LOW("FTBProxy: bufhdr = %p, bufhdr->pBuffer = %p",
bufferAdd, bufferAdd->pBuffer);
/*Return back the output buffer to client*/
@@ -9427,7 +9447,7 @@
if (omxhdr && omxhdr->nFilledLen && !omx->m_need_turbo) {
omx->request_perf_level(VIDC_NOMINAL);
}
- if (omx->output_use_buffer && omxhdr->pBuffer &&
+ if (!omx->m_enable_android_native_buffers && omx->output_use_buffer && omxhdr->pBuffer &&
vdec_msg->msgdata.output_frame.bufferaddr)
memcpy ( omxhdr->pBuffer, (void *)
((unsigned long)vdec_msg->msgdata.output_frame.bufferaddr +
