DO NOT MERGE: mm-video-v4l2: vdec: Disallow changing buffer modes/counts on allocated ports (f7ccd457) · Commits · Android-smartphones / realme / realme 5pro / kaderbava / hardware_qcom_media

Commit f7ccd457 authored Aug 25, 2016 by Praveen Chavan Committed by Ray Essick Oct 06, 2016

DO NOT MERGE: mm-video-v4l2: vdec: Disallow changing buffer modes/counts on allocated ports

Changing Count, size, usage-mode (metadata/bytebuffer/native-handle) or
allocation-mode (allocateBuffer/UseBuffer) of buffers should only be
allowed when the port hasn't been allocated yet.
Since buffer-modes determine the payload-size in case of meta-buffer-mode,
and also determine the memory-base to derive buffer indices from buffer-
headers, letting the client change count/size/mode on a pre-allocated port
will cause inconsistencies in the size of memory allocated for headers and
lead to index overflows.
Fix the range checks for the derived buffer-indices to avoid out-of-bounds
writes.

Also, ensure buffer-mode settings (metadata-mode, native-handle-mode)
are intended for the right ports.

Bug: 29617572 : Heap Overflow/LPE in MediaServer (libOmxVdec problem #8)
Bug: 29982686 : Memory Write/LPE in MediaServer (libOmxVdec problem #10)

Change-Id: I619636a48779580c247bffb3752c3e4025b46542

parent fe96f9be

Hide whitespace changes

Inline Side-by-side

Please register or to comment