Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0f56965e authored by will-cw.chen's avatar will-cw.chen Committed by Wonsik Kim
Browse files

Fix MediaCodec potential use-after-free 

Fix a MediaCodec potential use-after-free problem when
MediaCodec is started and onError occurs.

When onError -> SetState(UNINITAILIZED), there is a timing that
returnBuffersToCodec() is done and mState is not set to
UNINITAILIZED. At this moment, if getBuffer(..) is call, null
buffer will be gotten. Usually, APK will use is without checking,
and it cause the problem.

Test: manual with YouTube
Test: atest CtsMediaCodecTestCases -- --feature-flags:flag-value \
            codec_fwk/android.media.codec.set_state_early=true
Bug: 298613712
Flag: codec_fwk.android.media.codec.set_state_early
Change-Id: I4e9a4d3be7227e68ef2f59df4602d75fdc454001
parent 20c9bba5

media/aconfig/codec_fwk.aconfig

+10 −0
Original line number Diff line number Diff line
@@ -12,6 +12,16 @@ flag { 
  bug: "201479783"

}



flag {

  name: "set_state_early"

  namespace: "codec_fwk"

  description: "Bugfix flag for setting state early to avoid a race condition"

  bug: "298613712"

  metadata {

    purpose: PURPOSE_BUGFIX

  }

}



flag {

  name: "dynamic_color_aspects"

  is_exported: true

media/libstagefright/MediaCodec.cpp

+7 −1
Original line number Diff line number Diff line
@@ -6052,6 +6052,10 @@ void MediaCodec::setState(State newState) { 
        mErrorLog.clear();

    }



    if (android::media::codec::provider_->set_state_early()) {

        mState = newState;

    }



    if (newState == UNINITIALIZED) {

        // return any straggling buffers, e.g. if we got here on an error

        returnBuffersToCodec();
@@ -6062,7 +6066,9 @@ void MediaCodec::setState(State newState) { 
        mFlags &= ~kFlagSawMediaServerDie;

    }



    if (!android::media::codec::provider_->set_state_early()) {

        mState = newState;

    }



    if (mBatteryChecker != nullptr) {

        mBatteryChecker->setExecuting(isExecuting());