Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a2c38490 authored by Shruti Bihani's avatar Shruti Bihani Committed by Automerger Merge Worker
Browse files

Fix heap-use-after-free issue flagged by fuzzer test. am: 15b46d31 

Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/24296959



Change-Id: I25dc19d96f4bb17f856d0fd46ee0ca496b47c083
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents 5e34d379 15b46d31

media/mtp/MtpFfsHandle.cpp

+14 −0
Original line number Diff line number Diff line
@@ -297,6 +297,10 @@ int MtpFfsHandle::start(bool ptp) { 
}



void MtpFfsHandle::close() {

    auto timeout = std::chrono::seconds(2);

    std::unique_lock lk(m);

    cv.wait_for(lk, timeout ,[this]{return child_threads==0;});



    io_destroy(mCtx);

    closeEndpoints();

    closeConfig();
@@ -669,6 +673,11 @@ int MtpFfsHandle::sendEvent(mtp_event me) { 
    char *temp = new char[me.length];

    memcpy(temp, me.data, me.length);

    me.data = temp;



    std::unique_lock lk(m);

    child_threads++;

    lk.unlock();



    std::thread t([this, me]() { return this->doSendEvent(me); });

    t.detach();

    return 0;
@@ -680,6 +689,11 @@ void MtpFfsHandle::doSendEvent(mtp_event me) { 
    if (static_cast<unsigned>(ret) != length)

        PLOG(ERROR) << "Mtp error sending event thread!";

    delete[] reinterpret_cast<char*>(me.data);



    std::unique_lock lk(m);

    child_threads--;

    lk.unlock();

    cv.notify_one();

}



} // namespace android

media/mtp/MtpFfsHandle.h

+4 −0
Original line number Diff line number Diff line
@@ -60,6 +60,10 @@ protected: 
    bool mCanceled;

    bool mBatchCancel;



    std::mutex m;

    std::condition_variable cv;

    std::atomic<int> child_threads{0};



    android::base::unique_fd mControl;

    // "in" from the host's perspective => sink for mtp server

    android::base::unique_fd mBulkIn;