Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1658f22e authored by Lajos Molnar's avatar Lajos Molnar
Browse files

IOMX: work against metadata buffer spoofing 

- Prohibit direct set/getParam/Settings for extensions meant for
  OMXNodeInstance alone. This disallows enabling metadata mode
  without the knowledge of OMXNodeInstance.
- Do not share metadata mode buffers cross process.
- Disallow setting up metadata mode/tunneling/input surface
  after first sendCommand.
- Disallow store-meta for input cross process.
- Disallow emptyBuffer for surface input (via IOMX).
- Fix checking for input surface.

Bug: 29422020
Change-Id: I801c77b80e703903f62e42d76fd2e76a34e4bc8e
parent db135b50

include/media/IOMX.h

+2 −2
Original line number Original line Diff line number Diff line
@@ -109,7 +109,7 @@ public: 
    // Use |params| as an OMX buffer, but limit the size of the OMX buffer to |allottedSize|.

    // Use |params| as an OMX buffer, but limit the size of the OMX buffer to |allottedSize|.

    virtual status_t useBuffer(

    virtual status_t useBuffer(

            node_id node, OMX_U32 port_index, const sp<IMemory> &params,

            node_id node, OMX_U32 port_index, const sp<IMemory> &params,

            buffer_id *buffer, OMX_U32 allottedSize) = 0;

            buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess = OMX_FALSE) = 0;





    virtual status_t useGraphicBuffer(

    virtual status_t useGraphicBuffer(

            node_id node, OMX_U32 port_index,

            node_id node, OMX_U32 port_index,
@@ -156,7 +156,7 @@ public: 
    // may be larger.

    // may be larger.

    virtual status_t allocateBufferWithBackup(

    virtual status_t allocateBufferWithBackup(

            node_id node, OMX_U32 port_index, const sp<IMemory> &params,

            node_id node, OMX_U32 port_index, const sp<IMemory> &params,

            buffer_id *buffer, OMX_U32 allottedSize) = 0;

            buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess = OMX_FALSE) = 0;





    virtual status_t freeBuffer(

    virtual status_t freeBuffer(

            node_id node, OMX_U32 port_index, buffer_id buffer) = 0;

            node_id node, OMX_U32 port_index, buffer_id buffer) = 0;

media/libmedia/IOMX.cpp

+4 −1
Original line number Original line Diff line number Diff line
@@ -1044,7 +1044,10 @@ status_t BnOMX::onTransact( 
            OMX_BOOL enable = (OMX_BOOL)data.readInt32();

            OMX_BOOL enable = (OMX_BOOL)data.readInt32();





            MetadataBufferType type = (MetadataBufferType)data.readInt32();

            MetadataBufferType type = (MetadataBufferType)data.readInt32();

            status_t err = storeMetaDataInBuffers(node, port_index, enable, &type);

            status_t err =

                // only control output metadata via Binder

                port_index != 1 /* kOutputPortIndex */ ? BAD_VALUE :

                storeMetaDataInBuffers(node, port_index, enable, &type);





            reply->writeInt32(type);

            reply->writeInt32(type);

            reply->writeInt32(err);

            reply->writeInt32(err);

media/libstagefright/OMXClient.cpp

+7 −6
Original line number Original line Diff line number Diff line
@@ -101,7 +101,7 @@ struct MuxOMX : public IOMX { 




    virtual status_t useBuffer(

    virtual status_t useBuffer(

            node_id node, OMX_U32 port_index, const sp<IMemory> &params,

            node_id node, OMX_U32 port_index, const sp<IMemory> &params,

            buffer_id *buffer, OMX_U32 allottedSize);

            buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess);





    virtual status_t useGraphicBuffer(

    virtual status_t useGraphicBuffer(

            node_id node, OMX_U32 port_index,

            node_id node, OMX_U32 port_index,
@@ -135,7 +135,7 @@ struct MuxOMX : public IOMX { 




    virtual status_t allocateBufferWithBackup(

    virtual status_t allocateBufferWithBackup(

            node_id node, OMX_U32 port_index, const sp<IMemory> &params,

            node_id node, OMX_U32 port_index, const sp<IMemory> &params,

            buffer_id *buffer, OMX_U32 allottedSize);

            buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess);





    virtual status_t freeBuffer(

    virtual status_t freeBuffer(

            node_id node, OMX_U32 port_index, buffer_id buffer);

            node_id node, OMX_U32 port_index, buffer_id buffer);
@@ -379,8 +379,9 @@ status_t MuxOMX::getGraphicBufferUsage( 




status_t MuxOMX::useBuffer(

status_t MuxOMX::useBuffer(

        node_id node, OMX_U32 port_index, const sp<IMemory> &params,

        node_id node, OMX_U32 port_index, const sp<IMemory> &params,

        buffer_id *buffer, OMX_U32 allottedSize) {

        buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL /* crossProcess */) {

    return getOMX(node)->useBuffer(node, port_index, params, buffer, allottedSize);

    return getOMX(node)->useBuffer(

            node, port_index, params, buffer, allottedSize, OMX_FALSE /* crossProcess */);

}

}





status_t MuxOMX::useGraphicBuffer(

status_t MuxOMX::useGraphicBuffer(
@@ -447,9 +448,9 @@ status_t MuxOMX::allocateSecureBuffer( 




status_t MuxOMX::allocateBufferWithBackup(

status_t MuxOMX::allocateBufferWithBackup(

        node_id node, OMX_U32 port_index, const sp<IMemory> &params,

        node_id node, OMX_U32 port_index, const sp<IMemory> &params,

        buffer_id *buffer, OMX_U32 allottedSize) {

        buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL /* crossProcess */) {

    return getOMX(node)->allocateBufferWithBackup(

    return getOMX(node)->allocateBufferWithBackup(

            node, port_index, params, buffer, allottedSize);

            node, port_index, params, buffer, allottedSize, OMX_FALSE /* crossProcess */);

}

}





status_t MuxOMX::freeBuffer(

status_t MuxOMX::freeBuffer(

media/libstagefright/include/OMX.h

+2 −2
Original line number Original line Diff line number Diff line
@@ -83,7 +83,7 @@ public: 




    virtual status_t useBuffer(

    virtual status_t useBuffer(

            node_id node, OMX_U32 port_index, const sp<IMemory> &params,

            node_id node, OMX_U32 port_index, const sp<IMemory> &params,

            buffer_id *buffer, OMX_U32 allottedSize);

            buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess);





    virtual status_t useGraphicBuffer(

    virtual status_t useGraphicBuffer(

            node_id node, OMX_U32 port_index,

            node_id node, OMX_U32 port_index,
@@ -119,7 +119,7 @@ public: 




    virtual status_t allocateBufferWithBackup(

    virtual status_t allocateBufferWithBackup(

            node_id node, OMX_U32 port_index, const sp<IMemory> &params,

            node_id node, OMX_U32 port_index, const sp<IMemory> &params,

            buffer_id *buffer, OMX_U32 allottedSize);

            buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess);





    virtual status_t freeBuffer(

    virtual status_t freeBuffer(

            node_id node, OMX_U32 port_index, buffer_id buffer);

            node_id node, OMX_U32 port_index, buffer_id buffer);

media/libstagefright/include/OMXNodeInstance.h

+8 −2
Original line number Original line Diff line number Diff line
@@ -21,6 +21,7 @@ 
#include "OMX.h"

#include "OMX.h"





#include <utils/RefBase.h>

#include <utils/RefBase.h>

#include <utils/SortedVector.h>

#include <utils/threads.h>

#include <utils/threads.h>





namespace android {

namespace android {
@@ -69,7 +70,7 @@ struct OMXNodeInstance { 




    status_t useBuffer(

    status_t useBuffer(

            OMX_U32 portIndex, const sp<IMemory> &params,

            OMX_U32 portIndex, const sp<IMemory> &params,

            OMX::buffer_id *buffer, OMX_U32 allottedSize);

            OMX::buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess);





    status_t useGraphicBuffer(

    status_t useGraphicBuffer(

            OMX_U32 portIndex, const sp<GraphicBuffer> &graphicBuffer,

            OMX_U32 portIndex, const sp<GraphicBuffer> &graphicBuffer,
@@ -106,7 +107,7 @@ struct OMXNodeInstance { 




    status_t allocateBufferWithBackup(

    status_t allocateBufferWithBackup(

            OMX_U32 portIndex, const sp<IMemory> &params,

            OMX_U32 portIndex, const sp<IMemory> &params,

            OMX::buffer_id *buffer, OMX_U32 allottedSize);

            OMX::buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess);





    status_t freeBuffer(OMX_U32 portIndex, OMX::buffer_id buffer);

    status_t freeBuffer(OMX_U32 portIndex, OMX::buffer_id buffer);
@@ -151,6 +152,9 @@ private: 
    OMX_HANDLETYPE mHandle;

    OMX_HANDLETYPE mHandle;

    sp<IOMXObserver> mObserver;

    sp<IOMXObserver> mObserver;

    bool mDying;

    bool mDying;

    bool mSailed;  // configuration is set (no more meta-mode changes)

    bool mQueriedProhibitedExtensions;

    SortedVector<OMX_INDEXTYPE> mProhibitedExtensions;

    bool mIsSecure;

    bool mIsSecure;





    // Lock only covers mGraphicBufferSource.  We can't always use mLock

    // Lock only covers mGraphicBufferSource.  We can't always use mLock
@@ -204,6 +208,8 @@ private: 
    OMX::buffer_id findBufferID(OMX_BUFFERHEADERTYPE *bufferHeader);

    OMX::buffer_id findBufferID(OMX_BUFFERHEADERTYPE *bufferHeader);

    void invalidateBufferID(OMX::buffer_id buffer);

    void invalidateBufferID(OMX::buffer_id buffer);





    bool isProhibitedIndex_l(OMX_INDEXTYPE index);



    status_t useGraphicBuffer2_l(

    status_t useGraphicBuffer2_l(

            OMX_U32 portIndex, const sp<GraphicBuffer> &graphicBuffer,

            OMX_U32 portIndex, const sp<GraphicBuffer> &graphicBuffer,

            OMX::buffer_id *buffer);

            OMX::buffer_id *buffer);