Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 463452a9 authored by Ray Essick's avatar Ray Essick
Browse files

Prevent OOB write in soft_avc encoder 

Soft avc encoder cached buffer sizes across a point where the sizes
could be reset by an app, allowing crafted requests to hit outside
of the current buffer. This remedies that by forcing buffer reallocation
with new sizes whenever the encoder state at such 'reset' points.

Bug: 35421151
Test: run POC with no crash
Change-Id: I8c689846142264f7b6a277332260a6bd8a2bd92d
parent c5bea960

media/libstagefright/codecs/avcenc/SoftAVCEnc.cpp

+12 −0
Original line number Diff line number Diff line
@@ -611,6 +611,7 @@ OMX_ERRORTYPE SoftAVC::initEncoder() { 
    IV_STATUS_T status;

    WORD32 level;

    uint32_t displaySizeY;



    CHECK(!mStarted);



    OMX_ERRORTYPE errType = OMX_ErrorNone;
@@ -913,6 +914,9 @@ OMX_ERRORTYPE SoftAVC::releaseEncoder() { 
        }

    }



    // clear other pointers into the space being free()d

    mCodecCtx = NULL;



    mStarted = false;



    return OMX_ErrorNone;
@@ -1444,6 +1448,14 @@ void SoftAVC::onQueueFilled(OMX_U32 portIndex) { 
    return;

}



void SoftAVC::onReset() {

    SoftVideoEncoderOMXComponent::onReset();



    if (releaseEncoder() != OMX_ErrorNone) {

        ALOGW("releaseEncoder failed");

    }

}



}  // namespace android



android::SoftOMXComponent *createSoftOMXComponent(

media/libstagefright/codecs/avcenc/SoftAVCEnc.h

+2 −0
Original line number Diff line number Diff line
@@ -137,6 +137,8 @@ struct SoftAVC : public SoftVideoEncoderOMXComponent { 
protected:

    virtual ~SoftAVC();



    virtual void onReset();



private:

    enum {

        kNumBuffers = 2,