Snap for 10983763 from e7af15d9f9cd481bb67148164ecda711383ecd98 to mainline-documentsui-release
Change-Id: I75a3de811a3e3f2282e7e6d4facfba6f418bb952
diff --git a/arm/arch-arm-armv7-a-neon/shared/vndk-core/libstagefright_bufferpool@2.0.so b/arm/arch-arm-armv7-a-neon/shared/vndk-core/libstagefright_bufferpool@2.0.so
index 84ed419..9d38134 100755
--- a/arm/arch-arm-armv7-a-neon/shared/vndk-core/libstagefright_bufferpool@2.0.so
+++ b/arm/arch-arm-armv7-a-neon/shared/vndk-core/libstagefright_bufferpool@2.0.so
Binary files differ
diff --git a/arm/include/system/libfmq/include/fmq/MessageQueueBase.h b/arm/include/system/libfmq/include/fmq/MessageQueueBase.h
index c34a4ff..f4bf7e2 100644
--- a/arm/include/system/libfmq/include/fmq/MessageQueueBase.h
+++ b/arm/include/system/libfmq/include/fmq/MessageQueueBase.h
@@ -586,12 +586,6 @@
return;
}
- const auto& grantors = mDesc->grantors();
- for (const auto& grantor : grantors) {
- hardware::details::check(hardware::details::isAlignedToWordBoundary(grantor.offset) == true,
- "Grantor offsets need to be aligned");
- }
-
if (flavor == kSynchronizedReadWrite) {
mReadPtr = reinterpret_cast<std::atomic<uint64_t>*>(
mapGrantorDescr(hardware::details::READPTRPOS));
@@ -602,11 +596,11 @@
*/
mReadPtr = new (std::nothrow) std::atomic<uint64_t>;
}
- hardware::details::check(mReadPtr != nullptr, "mReadPtr is null");
+ if (mReadPtr == nullptr) goto error;
mWritePtr = reinterpret_cast<std::atomic<uint64_t>*>(
mapGrantorDescr(hardware::details::WRITEPTRPOS));
- hardware::details::check(mWritePtr != nullptr, "mWritePtr is null");
+ if (mWritePtr == nullptr) goto error;
if (resetPointers) {
mReadPtr->store(0, std::memory_order_release);
@@ -617,14 +611,32 @@
}
mRing = reinterpret_cast<uint8_t*>(mapGrantorDescr(hardware::details::DATAPTRPOS));
- hardware::details::check(mRing != nullptr, "mRing is null");
+ if (mRing == nullptr) goto error;
if (mDesc->countGrantors() > hardware::details::EVFLAGWORDPOS) {
mEvFlagWord = static_cast<std::atomic<uint32_t>*>(
mapGrantorDescr(hardware::details::EVFLAGWORDPOS));
- hardware::details::check(mEvFlagWord != nullptr, "mEvFlagWord is null");
+ if (mEvFlagWord == nullptr) goto error;
android::hardware::EventFlag::createEventFlag(mEvFlagWord, &mEventFlag);
}
+ return;
+error:
+ if (mReadPtr) {
+ if (flavor == kSynchronizedReadWrite) {
+ unmapGrantorDescr(mReadPtr, hardware::details::READPTRPOS);
+ } else {
+ delete mReadPtr;
+ }
+ mReadPtr = nullptr;
+ }
+ if (mWritePtr) {
+ unmapGrantorDescr(mWritePtr, hardware::details::WRITEPTRPOS);
+ mWritePtr = nullptr;
+ }
+ if (mRing) {
+ unmapGrantorDescr(mRing, hardware::details::EVFLAGWORDPOS);
+ mRing = nullptr;
+ }
}
template <template <typename, MQFlavor> typename MQDescriptorType, typename T, MQFlavor flavor>
@@ -1234,7 +1246,7 @@
template <template <typename, MQFlavor> typename MQDescriptorType, typename T, MQFlavor flavor>
void* MessageQueueBase<MQDescriptorType, T, flavor>::mapGrantorDescr(uint32_t grantorIdx) {
const native_handle_t* handle = mDesc->handle();
- auto grantors = mDesc->grantors();
+ const std::vector<android::hardware::GrantorDescriptor> grantors = mDesc->grantors();
if (handle == nullptr) {
hardware::details::logError("mDesc->handle is null");
return nullptr;
@@ -1247,10 +1259,32 @@
}
int fdIndex = grantors[grantorIdx].fdIndex;
+ if (fdIndex < 0 || fdIndex >= handle->numFds) {
+ hardware::details::logError(
+ std::string("fdIndex (" + std::to_string(fdIndex) + ") from grantor (index " +
+ std::to_string(grantorIdx) +
+ ") must be smaller than the number of fds in the handle: " +
+ std::to_string(handle->numFds)));
+ return nullptr;
+ }
+
/*
* Offset for mmap must be a multiple of PAGE_SIZE.
*/
+ if (!hardware::details::isAlignedToWordBoundary(grantors[grantorIdx].offset)) {
+ hardware::details::logError("Grantor (index " + std::to_string(grantorIdx) +
+ ") offset needs to be aligned to word boundary but is: " +
+ std::to_string(grantors[grantorIdx].offset));
+ return nullptr;
+ }
+
int mapOffset = (grantors[grantorIdx].offset / PAGE_SIZE) * PAGE_SIZE;
+ if (grantors[grantorIdx].extent < 0 || grantors[grantorIdx].extent > INT_MAX - PAGE_SIZE) {
+ hardware::details::logError(std::string("Grantor (index " + std::to_string(grantorIdx) +
+ ") extent value is too large or negative: " +
+ std::to_string(grantors[grantorIdx].extent)));
+ return nullptr;
+ }
int mapLength = grantors[grantorIdx].offset - mapOffset + grantors[grantorIdx].extent;
void* address = mmap(0, mapLength, PROT_READ | PROT_WRITE, MAP_SHARED, handle->data[fdIndex],
diff --git a/arm64/arch-arm-armv8-a/shared/vndk-core/libstagefright_bufferpool@2.0.so b/arm64/arch-arm-armv8-a/shared/vndk-core/libstagefright_bufferpool@2.0.so
index a196564..b06d110 100755
--- a/arm64/arch-arm-armv8-a/shared/vndk-core/libstagefright_bufferpool@2.0.so
+++ b/arm64/arch-arm-armv8-a/shared/vndk-core/libstagefright_bufferpool@2.0.so
Binary files differ
diff --git a/arm64/arch-arm64-armv8-a/shared/vndk-core/libstagefright_bufferpool@2.0.so b/arm64/arch-arm64-armv8-a/shared/vndk-core/libstagefright_bufferpool@2.0.so
index 5d57092..3e06ff5 100755
--- a/arm64/arch-arm64-armv8-a/shared/vndk-core/libstagefright_bufferpool@2.0.so
+++ b/arm64/arch-arm64-armv8-a/shared/vndk-core/libstagefright_bufferpool@2.0.so
Binary files differ
diff --git a/arm64/include/system/libfmq/include/fmq/MessageQueueBase.h b/arm64/include/system/libfmq/include/fmq/MessageQueueBase.h
index c34a4ff..f4bf7e2 100644
--- a/arm64/include/system/libfmq/include/fmq/MessageQueueBase.h
+++ b/arm64/include/system/libfmq/include/fmq/MessageQueueBase.h
@@ -586,12 +586,6 @@
return;
}
- const auto& grantors = mDesc->grantors();
- for (const auto& grantor : grantors) {
- hardware::details::check(hardware::details::isAlignedToWordBoundary(grantor.offset) == true,
- "Grantor offsets need to be aligned");
- }
-
if (flavor == kSynchronizedReadWrite) {
mReadPtr = reinterpret_cast<std::atomic<uint64_t>*>(
mapGrantorDescr(hardware::details::READPTRPOS));
@@ -602,11 +596,11 @@
*/
mReadPtr = new (std::nothrow) std::atomic<uint64_t>;
}
- hardware::details::check(mReadPtr != nullptr, "mReadPtr is null");
+ if (mReadPtr == nullptr) goto error;
mWritePtr = reinterpret_cast<std::atomic<uint64_t>*>(
mapGrantorDescr(hardware::details::WRITEPTRPOS));
- hardware::details::check(mWritePtr != nullptr, "mWritePtr is null");
+ if (mWritePtr == nullptr) goto error;
if (resetPointers) {
mReadPtr->store(0, std::memory_order_release);
@@ -617,14 +611,32 @@
}
mRing = reinterpret_cast<uint8_t*>(mapGrantorDescr(hardware::details::DATAPTRPOS));
- hardware::details::check(mRing != nullptr, "mRing is null");
+ if (mRing == nullptr) goto error;
if (mDesc->countGrantors() > hardware::details::EVFLAGWORDPOS) {
mEvFlagWord = static_cast<std::atomic<uint32_t>*>(
mapGrantorDescr(hardware::details::EVFLAGWORDPOS));
- hardware::details::check(mEvFlagWord != nullptr, "mEvFlagWord is null");
+ if (mEvFlagWord == nullptr) goto error;
android::hardware::EventFlag::createEventFlag(mEvFlagWord, &mEventFlag);
}
+ return;
+error:
+ if (mReadPtr) {
+ if (flavor == kSynchronizedReadWrite) {
+ unmapGrantorDescr(mReadPtr, hardware::details::READPTRPOS);
+ } else {
+ delete mReadPtr;
+ }
+ mReadPtr = nullptr;
+ }
+ if (mWritePtr) {
+ unmapGrantorDescr(mWritePtr, hardware::details::WRITEPTRPOS);
+ mWritePtr = nullptr;
+ }
+ if (mRing) {
+ unmapGrantorDescr(mRing, hardware::details::EVFLAGWORDPOS);
+ mRing = nullptr;
+ }
}
template <template <typename, MQFlavor> typename MQDescriptorType, typename T, MQFlavor flavor>
@@ -1234,7 +1246,7 @@
template <template <typename, MQFlavor> typename MQDescriptorType, typename T, MQFlavor flavor>
void* MessageQueueBase<MQDescriptorType, T, flavor>::mapGrantorDescr(uint32_t grantorIdx) {
const native_handle_t* handle = mDesc->handle();
- auto grantors = mDesc->grantors();
+ const std::vector<android::hardware::GrantorDescriptor> grantors = mDesc->grantors();
if (handle == nullptr) {
hardware::details::logError("mDesc->handle is null");
return nullptr;
@@ -1247,10 +1259,32 @@
}
int fdIndex = grantors[grantorIdx].fdIndex;
+ if (fdIndex < 0 || fdIndex >= handle->numFds) {
+ hardware::details::logError(
+ std::string("fdIndex (" + std::to_string(fdIndex) + ") from grantor (index " +
+ std::to_string(grantorIdx) +
+ ") must be smaller than the number of fds in the handle: " +
+ std::to_string(handle->numFds)));
+ return nullptr;
+ }
+
/*
* Offset for mmap must be a multiple of PAGE_SIZE.
*/
+ if (!hardware::details::isAlignedToWordBoundary(grantors[grantorIdx].offset)) {
+ hardware::details::logError("Grantor (index " + std::to_string(grantorIdx) +
+ ") offset needs to be aligned to word boundary but is: " +
+ std::to_string(grantors[grantorIdx].offset));
+ return nullptr;
+ }
+
int mapOffset = (grantors[grantorIdx].offset / PAGE_SIZE) * PAGE_SIZE;
+ if (grantors[grantorIdx].extent < 0 || grantors[grantorIdx].extent > INT_MAX - PAGE_SIZE) {
+ hardware::details::logError(std::string("Grantor (index " + std::to_string(grantorIdx) +
+ ") extent value is too large or negative: " +
+ std::to_string(grantors[grantorIdx].extent)));
+ return nullptr;
+ }
int mapLength = grantors[grantorIdx].offset - mapOffset + grantors[grantorIdx].extent;
void* address = mmap(0, mapLength, PROT_READ | PROT_WRITE, MAP_SHARED, handle->data[fdIndex],
diff --git a/x86/arch-x86/shared/vndk-core/libstagefright_bufferpool@2.0.so b/x86/arch-x86/shared/vndk-core/libstagefright_bufferpool@2.0.so
index 019422c..01900f1 100755
--- a/x86/arch-x86/shared/vndk-core/libstagefright_bufferpool@2.0.so
+++ b/x86/arch-x86/shared/vndk-core/libstagefright_bufferpool@2.0.so
Binary files differ
diff --git a/x86/include/system/libfmq/include/fmq/MessageQueueBase.h b/x86/include/system/libfmq/include/fmq/MessageQueueBase.h
index c34a4ff..f4bf7e2 100644
--- a/x86/include/system/libfmq/include/fmq/MessageQueueBase.h
+++ b/x86/include/system/libfmq/include/fmq/MessageQueueBase.h
@@ -586,12 +586,6 @@
return;
}
- const auto& grantors = mDesc->grantors();
- for (const auto& grantor : grantors) {
- hardware::details::check(hardware::details::isAlignedToWordBoundary(grantor.offset) == true,
- "Grantor offsets need to be aligned");
- }
-
if (flavor == kSynchronizedReadWrite) {
mReadPtr = reinterpret_cast<std::atomic<uint64_t>*>(
mapGrantorDescr(hardware::details::READPTRPOS));
@@ -602,11 +596,11 @@
*/
mReadPtr = new (std::nothrow) std::atomic<uint64_t>;
}
- hardware::details::check(mReadPtr != nullptr, "mReadPtr is null");
+ if (mReadPtr == nullptr) goto error;
mWritePtr = reinterpret_cast<std::atomic<uint64_t>*>(
mapGrantorDescr(hardware::details::WRITEPTRPOS));
- hardware::details::check(mWritePtr != nullptr, "mWritePtr is null");
+ if (mWritePtr == nullptr) goto error;
if (resetPointers) {
mReadPtr->store(0, std::memory_order_release);
@@ -617,14 +611,32 @@
}
mRing = reinterpret_cast<uint8_t*>(mapGrantorDescr(hardware::details::DATAPTRPOS));
- hardware::details::check(mRing != nullptr, "mRing is null");
+ if (mRing == nullptr) goto error;
if (mDesc->countGrantors() > hardware::details::EVFLAGWORDPOS) {
mEvFlagWord = static_cast<std::atomic<uint32_t>*>(
mapGrantorDescr(hardware::details::EVFLAGWORDPOS));
- hardware::details::check(mEvFlagWord != nullptr, "mEvFlagWord is null");
+ if (mEvFlagWord == nullptr) goto error;
android::hardware::EventFlag::createEventFlag(mEvFlagWord, &mEventFlag);
}
+ return;
+error:
+ if (mReadPtr) {
+ if (flavor == kSynchronizedReadWrite) {
+ unmapGrantorDescr(mReadPtr, hardware::details::READPTRPOS);
+ } else {
+ delete mReadPtr;
+ }
+ mReadPtr = nullptr;
+ }
+ if (mWritePtr) {
+ unmapGrantorDescr(mWritePtr, hardware::details::WRITEPTRPOS);
+ mWritePtr = nullptr;
+ }
+ if (mRing) {
+ unmapGrantorDescr(mRing, hardware::details::EVFLAGWORDPOS);
+ mRing = nullptr;
+ }
}
template <template <typename, MQFlavor> typename MQDescriptorType, typename T, MQFlavor flavor>
@@ -1234,7 +1246,7 @@
template <template <typename, MQFlavor> typename MQDescriptorType, typename T, MQFlavor flavor>
void* MessageQueueBase<MQDescriptorType, T, flavor>::mapGrantorDescr(uint32_t grantorIdx) {
const native_handle_t* handle = mDesc->handle();
- auto grantors = mDesc->grantors();
+ const std::vector<android::hardware::GrantorDescriptor> grantors = mDesc->grantors();
if (handle == nullptr) {
hardware::details::logError("mDesc->handle is null");
return nullptr;
@@ -1247,10 +1259,32 @@
}
int fdIndex = grantors[grantorIdx].fdIndex;
+ if (fdIndex < 0 || fdIndex >= handle->numFds) {
+ hardware::details::logError(
+ std::string("fdIndex (" + std::to_string(fdIndex) + ") from grantor (index " +
+ std::to_string(grantorIdx) +
+ ") must be smaller than the number of fds in the handle: " +
+ std::to_string(handle->numFds)));
+ return nullptr;
+ }
+
/*
* Offset for mmap must be a multiple of PAGE_SIZE.
*/
+ if (!hardware::details::isAlignedToWordBoundary(grantors[grantorIdx].offset)) {
+ hardware::details::logError("Grantor (index " + std::to_string(grantorIdx) +
+ ") offset needs to be aligned to word boundary but is: " +
+ std::to_string(grantors[grantorIdx].offset));
+ return nullptr;
+ }
+
int mapOffset = (grantors[grantorIdx].offset / PAGE_SIZE) * PAGE_SIZE;
+ if (grantors[grantorIdx].extent < 0 || grantors[grantorIdx].extent > INT_MAX - PAGE_SIZE) {
+ hardware::details::logError(std::string("Grantor (index " + std::to_string(grantorIdx) +
+ ") extent value is too large or negative: " +
+ std::to_string(grantors[grantorIdx].extent)));
+ return nullptr;
+ }
int mapLength = grantors[grantorIdx].offset - mapOffset + grantors[grantorIdx].extent;
void* address = mmap(0, mapLength, PROT_READ | PROT_WRITE, MAP_SHARED, handle->data[fdIndex],
diff --git a/x86_64/arch-x86-x86_64/shared/vndk-core/libstagefright_bufferpool@2.0.so b/x86_64/arch-x86-x86_64/shared/vndk-core/libstagefright_bufferpool@2.0.so
index 07c1213..63cba44 100755
--- a/x86_64/arch-x86-x86_64/shared/vndk-core/libstagefright_bufferpool@2.0.so
+++ b/x86_64/arch-x86-x86_64/shared/vndk-core/libstagefright_bufferpool@2.0.so
Binary files differ
diff --git a/x86_64/arch-x86_64/shared/vndk-core/libstagefright_bufferpool@2.0.so b/x86_64/arch-x86_64/shared/vndk-core/libstagefright_bufferpool@2.0.so
index 4ab9665..960ec0a 100755
--- a/x86_64/arch-x86_64/shared/vndk-core/libstagefright_bufferpool@2.0.so
+++ b/x86_64/arch-x86_64/shared/vndk-core/libstagefright_bufferpool@2.0.so
Binary files differ
diff --git a/x86_64/include/system/libfmq/include/fmq/MessageQueueBase.h b/x86_64/include/system/libfmq/include/fmq/MessageQueueBase.h
index c34a4ff..f4bf7e2 100644
--- a/x86_64/include/system/libfmq/include/fmq/MessageQueueBase.h
+++ b/x86_64/include/system/libfmq/include/fmq/MessageQueueBase.h
@@ -586,12 +586,6 @@
return;
}
- const auto& grantors = mDesc->grantors();
- for (const auto& grantor : grantors) {
- hardware::details::check(hardware::details::isAlignedToWordBoundary(grantor.offset) == true,
- "Grantor offsets need to be aligned");
- }
-
if (flavor == kSynchronizedReadWrite) {
mReadPtr = reinterpret_cast<std::atomic<uint64_t>*>(
mapGrantorDescr(hardware::details::READPTRPOS));
@@ -602,11 +596,11 @@
*/
mReadPtr = new (std::nothrow) std::atomic<uint64_t>;
}
- hardware::details::check(mReadPtr != nullptr, "mReadPtr is null");
+ if (mReadPtr == nullptr) goto error;
mWritePtr = reinterpret_cast<std::atomic<uint64_t>*>(
mapGrantorDescr(hardware::details::WRITEPTRPOS));
- hardware::details::check(mWritePtr != nullptr, "mWritePtr is null");
+ if (mWritePtr == nullptr) goto error;
if (resetPointers) {
mReadPtr->store(0, std::memory_order_release);
@@ -617,14 +611,32 @@
}
mRing = reinterpret_cast<uint8_t*>(mapGrantorDescr(hardware::details::DATAPTRPOS));
- hardware::details::check(mRing != nullptr, "mRing is null");
+ if (mRing == nullptr) goto error;
if (mDesc->countGrantors() > hardware::details::EVFLAGWORDPOS) {
mEvFlagWord = static_cast<std::atomic<uint32_t>*>(
mapGrantorDescr(hardware::details::EVFLAGWORDPOS));
- hardware::details::check(mEvFlagWord != nullptr, "mEvFlagWord is null");
+ if (mEvFlagWord == nullptr) goto error;
android::hardware::EventFlag::createEventFlag(mEvFlagWord, &mEventFlag);
}
+ return;
+error:
+ if (mReadPtr) {
+ if (flavor == kSynchronizedReadWrite) {
+ unmapGrantorDescr(mReadPtr, hardware::details::READPTRPOS);
+ } else {
+ delete mReadPtr;
+ }
+ mReadPtr = nullptr;
+ }
+ if (mWritePtr) {
+ unmapGrantorDescr(mWritePtr, hardware::details::WRITEPTRPOS);
+ mWritePtr = nullptr;
+ }
+ if (mRing) {
+ unmapGrantorDescr(mRing, hardware::details::EVFLAGWORDPOS);
+ mRing = nullptr;
+ }
}
template <template <typename, MQFlavor> typename MQDescriptorType, typename T, MQFlavor flavor>
@@ -1234,7 +1246,7 @@
template <template <typename, MQFlavor> typename MQDescriptorType, typename T, MQFlavor flavor>
void* MessageQueueBase<MQDescriptorType, T, flavor>::mapGrantorDescr(uint32_t grantorIdx) {
const native_handle_t* handle = mDesc->handle();
- auto grantors = mDesc->grantors();
+ const std::vector<android::hardware::GrantorDescriptor> grantors = mDesc->grantors();
if (handle == nullptr) {
hardware::details::logError("mDesc->handle is null");
return nullptr;
@@ -1247,10 +1259,32 @@
}
int fdIndex = grantors[grantorIdx].fdIndex;
+ if (fdIndex < 0 || fdIndex >= handle->numFds) {
+ hardware::details::logError(
+ std::string("fdIndex (" + std::to_string(fdIndex) + ") from grantor (index " +
+ std::to_string(grantorIdx) +
+ ") must be smaller than the number of fds in the handle: " +
+ std::to_string(handle->numFds)));
+ return nullptr;
+ }
+
/*
* Offset for mmap must be a multiple of PAGE_SIZE.
*/
+ if (!hardware::details::isAlignedToWordBoundary(grantors[grantorIdx].offset)) {
+ hardware::details::logError("Grantor (index " + std::to_string(grantorIdx) +
+ ") offset needs to be aligned to word boundary but is: " +
+ std::to_string(grantors[grantorIdx].offset));
+ return nullptr;
+ }
+
int mapOffset = (grantors[grantorIdx].offset / PAGE_SIZE) * PAGE_SIZE;
+ if (grantors[grantorIdx].extent < 0 || grantors[grantorIdx].extent > INT_MAX - PAGE_SIZE) {
+ hardware::details::logError(std::string("Grantor (index " + std::to_string(grantorIdx) +
+ ") extent value is too large or negative: " +
+ std::to_string(grantors[grantorIdx].extent)));
+ return nullptr;
+ }
int mapLength = grantors[grantorIdx].offset - mapOffset + grantors[grantorIdx].extent;
void* address = mmap(0, mapLength, PROT_READ | PROT_WRITE, MAP_SHARED, handle->data[fdIndex],