Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0495c029 authored by Ray Essick's avatar Ray Essick
Browse files

Fix TOCTOU problem in libstagefright_soft_aacenc 

Fixes a configuration error where we sized a buffer initially based
on the configuration at the time and held onto the buffer through the
rest of our lifetime. If the configuration was changed in a way that
resulted in needing a different size buffer, the code did not make
this happen.

Patch keeps the buffer around but also stores the 'current allocation
size'.  This allows the later code that preps the buffer to query if
the buffer size is same or changed.  If changed, we discard the old
buffer and allocate a new one of the appropriate size.

safetynet logging added so we can tell how often this happens in the
field.

Testing was done on nyc-mr2 (where poc was built). Patch applies
without change to k/l/m/n/master.

Bug: 34621073
Test: run POC, saw new diagnostics saying it caught the size change.
Change-Id: Ia95aadc8c727434b7ba9628deeae327c405336d3
parent dd447c35

media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp

+12 −0
Original line number Diff line number Diff line
@@ -16,6 +16,7 @@ 


//#define LOG_NDEBUG 0

#define LOG_TAG "SoftAACEncoder2"

#include <log/log.h>

#include <utils/Log.h>



#include "SoftAACEncoder2.h"
@@ -48,6 +49,7 @@ SoftAACEncoder2::SoftAACEncoder2( 
      mSentCodecSpecificData(false),

      mInputSize(0),

      mInputFrame(NULL),

      mAllocatedFrameSize(0),

      mInputTimeUs(-1ll),

      mSawInputEOS(false),

      mSignalledError(false) {
@@ -450,6 +452,15 @@ void SoftAACEncoder2::onQueueFilled(OMX_U32 portIndex) { 


            if (mInputFrame == NULL) {

                mInputFrame = new int16_t[numBytesPerInputFrame / sizeof(int16_t)];

                mAllocatedFrameSize = numBytesPerInputFrame;

            } else if (mAllocatedFrameSize != numBytesPerInputFrame) {

                ALOGE("b/34621073: changed size from %d to %d",

                        (int)mAllocatedFrameSize, (int)numBytesPerInputFrame);

                android_errorWriteLog(0x534e4554,"34621073");

                delete mInputFrame;

                mInputFrame = new int16_t[numBytesPerInputFrame / sizeof(int16_t)];

                mAllocatedFrameSize = numBytesPerInputFrame;



            }



            if (mInputSize == 0) {
@@ -600,6 +611,7 @@ void SoftAACEncoder2::onReset() { 
    delete[] mInputFrame;

    mInputFrame = NULL;

    mInputSize = 0;

    mAllocatedFrameSize = 0;



    mSentCodecSpecificData = false;

    mInputTimeUs = -1ll;

media/libstagefright/codecs/aacenc/SoftAACEncoder2.h

+1 −0
Original line number Diff line number Diff line
@@ -60,6 +60,7 @@ private: 
    bool mSentCodecSpecificData;

    size_t mInputSize;

    int16_t *mInputFrame;

    size_t mAllocatedFrameSize;

    int64_t mInputTimeUs;



    bool mSawInputEOS;