Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2dd40fa4 authored by Krzysztof Semko's avatar Krzysztof Semko Committed by Takahiro Aizawa
Browse files

OMXNodeInstance: Do not use already freed memory. 

There is a possibility that other process might
try to access memory that was already freed by freeNode().
To fix this, first mHandle will be checked and only
then access will be allowed.

Test: forcibly kill app many times during omx is alive.
Bug: 113141946

Change-Id: Ib979d3b89cc90ddd7d4805eb0e4f0603a5406c98
parent 225f9921

media/libstagefright/omx/OMXNodeInstance.cpp

+54 −0
Original line number Diff line number Diff line
@@ -536,6 +536,9 @@ status_t OMXNodeInstance::sendCommand( 
    }



    Mutex::Autolock autoLock(mLock);

    if (mHandle == NULL) {

        return DEAD_OBJECT;

    }



    if (cmd == OMX_CommandStateSet) {

        // There are no configurations past first StateSet command.
@@ -600,6 +603,9 @@ bool OMXNodeInstance::isProhibitedIndex_l(OMX_INDEXTYPE index) { 
status_t OMXNodeInstance::getParameter(

        OMX_INDEXTYPE index, void *params, size_t /* size */) {

    Mutex::Autolock autoLock(mLock);

    if (mHandle == NULL) {

        return DEAD_OBJECT;

    }



    if (isProhibitedIndex_l(index)) {

        android_errorWriteLog(0x534e4554, "29422020");
@@ -618,6 +624,10 @@ status_t OMXNodeInstance::getParameter( 
status_t OMXNodeInstance::setParameter(

        OMX_INDEXTYPE index, const void *params, size_t size) {

    Mutex::Autolock autoLock(mLock);

    if (mHandle == NULL) {

        return DEAD_OBJECT;

    }



    OMX_INDEXEXTTYPE extIndex = (OMX_INDEXEXTTYPE)index;

    CLOG_CONFIG(setParameter, "%s(%#x), %zu@%p)", asString(extIndex), index, size, params);
@@ -639,6 +649,9 @@ status_t OMXNodeInstance::setParameter( 
status_t OMXNodeInstance::getConfig(

        OMX_INDEXTYPE index, void *params, size_t /* size */) {

    Mutex::Autolock autoLock(mLock);

    if (mHandle == NULL) {

        return DEAD_OBJECT;

    }



    if (isProhibitedIndex_l(index)) {

        android_errorWriteLog(0x534e4554, "29422020");
@@ -657,6 +670,10 @@ status_t OMXNodeInstance::getConfig( 
status_t OMXNodeInstance::setConfig(

        OMX_INDEXTYPE index, const void *params, size_t size) {

    Mutex::Autolock autoLock(mLock);

    if (mHandle == NULL) {

        return DEAD_OBJECT;

    }



    OMX_INDEXEXTTYPE extIndex = (OMX_INDEXEXTTYPE)index;

    CLOG_CONFIG(setConfig, "%s(%#x), %zu@%p)", asString(extIndex), index, size, params);
@@ -673,6 +690,9 @@ status_t OMXNodeInstance::setConfig( 


status_t OMXNodeInstance::setPortMode(OMX_U32 portIndex, IOMX::PortMode mode) {

    Mutex::Autolock autoLock(mLock);

    if (mHandle == NULL) {

        return DEAD_OBJECT;

    }



    if (portIndex >= NELEM(mPortMode)) {

        ALOGE("b/31385713, portIndex(%u)", portIndex);
@@ -855,6 +875,9 @@ status_t OMXNodeInstance::enableNativeBuffers_l( 
status_t OMXNodeInstance::getGraphicBufferUsage(

        OMX_U32 portIndex, OMX_U32* usage) {

    Mutex::Autolock autoLock(mLock);

    if (mHandle == NULL) {

        return DEAD_OBJECT;

    }



    OMX_INDEXTYPE index;

    OMX_STRING name = const_cast<OMX_STRING>(
@@ -968,6 +991,10 @@ status_t OMXNodeInstance::prepareForAdaptivePlayback( 
        OMX_U32 portIndex, OMX_BOOL enable, OMX_U32 maxFrameWidth,

        OMX_U32 maxFrameHeight) {

    Mutex::Autolock autolock(mLock);

    if (mHandle == NULL) {

        return DEAD_OBJECT;

    }



    if (mSailed) {

        android_errorWriteLog(0x534e4554, "29422020");

        return INVALID_OPERATION;
@@ -1008,6 +1035,10 @@ status_t OMXNodeInstance::configureVideoTunnelMode( 
        OMX_U32 portIndex, OMX_BOOL tunneled, OMX_U32 audioHwSync,

        native_handle_t **sidebandHandle) {

    Mutex::Autolock autolock(mLock);

    if (mHandle == NULL) {

        return DEAD_OBJECT;

    }



    if (mSailed) {

        android_errorWriteLog(0x534e4554, "29422020");

        return INVALID_OPERATION;
@@ -1062,6 +1093,10 @@ status_t OMXNodeInstance::useBuffer( 
    }



    Mutex::Autolock autoLock(mLock);

    if (mHandle == NULL) {

        return DEAD_OBJECT;

    }



    if (!mSailed) {

        ALOGE("b/35467458");

        android_errorWriteLog(0x534e4554, "35467458");
@@ -1477,6 +1512,9 @@ status_t OMXNodeInstance::updateNativeHandleInMeta_l( 
status_t OMXNodeInstance::setInputSurface(

        const sp<IOMXBufferSource> &bufferSource) {

    Mutex::Autolock autolock(mLock);

    if (mHandle == NULL) {

        return DEAD_OBJECT;

    }



    status_t err;
@@ -1543,6 +1581,9 @@ status_t OMXNodeInstance::allocateSecureBuffer( 
    }



    Mutex::Autolock autoLock(mLock);

    if (mHandle == NULL) {

        return DEAD_OBJECT;

    }



    if (!mSailed) {

        ALOGE("b/35467458");
@@ -1599,6 +1640,10 @@ status_t OMXNodeInstance::allocateSecureBuffer( 
status_t OMXNodeInstance::freeBuffer(

        OMX_U32 portIndex, IOMX::buffer_id buffer) {

    Mutex::Autolock autoLock(mLock);

    if (mHandle == NULL) {

        return DEAD_OBJECT;

    }



    CLOG_BUFFER(freeBuffer, "%s:%u %#x", portString(portIndex), portIndex, buffer);



    removeActiveBuffer(portIndex, buffer);
@@ -1623,6 +1668,9 @@ status_t OMXNodeInstance::freeBuffer( 
status_t OMXNodeInstance::fillBuffer(

        IOMX::buffer_id buffer, const OMXBuffer &omxBuffer, int fenceFd) {

    Mutex::Autolock autoLock(mLock);

    if (mHandle == NULL) {

        return DEAD_OBJECT;

    }



    OMX_BUFFERHEADERTYPE *header = findBufferHeader(buffer, kPortIndexOutput);

    if (header == NULL) {
@@ -1673,6 +1721,9 @@ status_t OMXNodeInstance::emptyBuffer( 
        buffer_id buffer, const OMXBuffer &omxBuffer,

        OMX_U32 flags, OMX_TICKS timestamp, int fenceFd) {

    Mutex::Autolock autoLock(mLock);

    if (mHandle == NULL) {

        return DEAD_OBJECT;

    }



    switch (omxBuffer.mBufferType) {

    case OMXBuffer::kBufferTypePreset:
@@ -1987,6 +2038,9 @@ void OMXNodeInstance::codecBufferFilled(omx_message &msg) { 
status_t OMXNodeInstance::getExtensionIndex(

        const char *parameterName, OMX_INDEXTYPE *index) {

    Mutex::Autolock autoLock(mLock);

    if (mHandle == NULL) {

        return DEAD_OBJECT;

    }



    OMX_ERRORTYPE err = OMX_GetExtensionIndex(

            mHandle, const_cast<char *>(parameterName), index);