Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 800d5777 authored by Marco Nelissen's avatar Marco Nelissen Committed by MSe
Browse files

Don't allow using or allocating a buffer after the first state transition 

Bug: 35467458
AOSP-Change-Id: Ia76c8cec8ad2abb95ca29b2a89075f7acab4b174
(cherry picked from commit e2532045)

CVE-2017-0698

Change-Id: Iab332c38fff8fbf6ac89868661d02a7a078c4063
parent b2ecaf64

media/libstagefright/omx/OMXNodeInstance.cpp

+18 −0
Original line number Diff line number Diff line
@@ -773,6 +773,12 @@ status_t OMXNodeInstance::useBuffer( 
        return BAD_VALUE;

    }



    if (!mSailed) {

        ALOGE("b/35467458");

        android_errorWriteLog(0x534e4554, "35467458");

        return BAD_VALUE;

    }



    // metadata buffers are not connected cross process

    BufferMeta *buffer_meta;

    bool isMeta = mMetadataType[portIndex] != kMetadataBufferTypeInvalid;
@@ -1116,6 +1122,12 @@ status_t OMXNodeInstance::allocateBuffer( 
        void **buffer_data) {

    Mutex::Autolock autoLock(mLock);



    if (!mSailed) {

        ALOGE("b/35467458");

        android_errorWriteLog(0x534e4554, "35467458");

        return BAD_VALUE;

    }



    BufferMeta *buffer_meta = new BufferMeta(size, portIndex);



    OMX_BUFFERHEADERTYPE *header;
@@ -1157,6 +1169,12 @@ status_t OMXNodeInstance::allocateBufferWithBackup( 
        return BAD_VALUE;

    }



    if (!mSailed) {

        ALOGE("b/35467458");

        android_errorWriteLog(0x534e4554, "35467458");

        return BAD_VALUE;

    }



    // metadata buffers are not connected cross process

    bool isMeta = mMetadataType[portIndex] != kMetadataBufferTypeInvalid;

    bool copy = !(crossProcess && isMeta);