DO NOT MERGE Verify OMX buffer sizes prior to access (8dd12ca1) · Commits · e / os / android_frameworks_av

media/libmedia/IOMX.cpp

+66 −30

Original line number	Diff line number	Diff line
		@@ -18,6 +18,8 @@
		#define LOG_TAG "IOMX"
		#include <utils/Log.h>

		#include <sys/mman.h>

		#include <binder/IMemory.h>
		#include <binder/Parcel.h>
		#include <media/IOMX.h>
		@@ -694,13 +696,41 @@ status_t BnOMX::onTransact(

		size_t size = data.readInt64();

		status_t err = NO_MEMORY;
		void *params = calloc(size, 1);
		if (params) {
		status_t err = NOT_ENOUGH_DATA;
		void *params = NULL;
		size_t pageSize = 0;
		size_t allocSize = 0;
		if (code != SET_INTERNAL_OPTION && size < 8) {
		// we expect the structure to contain at least the size and
		// version, 8 bytes total
		ALOGE("b/27207275 (%zu)", size);
		android_errorWriteLog(0x534e4554, "27207275");
		} else {
		err = NO_MEMORY;
		pageSize = (size_t) sysconf(_SC_PAGE_SIZE);
		if (size > SIZE_MAX - (pageSize * 2)) {
		ALOGE("requested param size too big");
		} else {
		allocSize = (size + pageSize * 2) & ~(pageSize - 1);
		params = mmap(NULL, allocSize, PROT_READ \| PROT_WRITE,
		MAP_PRIVATE \| MAP_ANONYMOUS, -1 /* fd /, 0 / offset */);
		}
		if (params != MAP_FAILED) {
		err = data.read(params, size);
		if (err != OK) {
		android_errorWriteLog(0x534e4554, "26914474");
		} else {
		err = NOT_ENOUGH_DATA;
		OMX_U32 declaredSize = (OMX_U32)params;
		if (code != SET_INTERNAL_OPTION && declaredSize > size) {
		// the buffer says it's bigger than it actually is
		ALOGE("b/27207275 (%u/%zu)", declaredSize, size);
		android_errorWriteLog(0x534e4554, "27207275");
		} else {
		// mark the last page as inaccessible, to avoid exploitation
		// of codecs that access past the end of the allocation because
		// they didn't check the size
		mprotect((char*)params + allocSize - pageSize, pageSize, PROT_NONE);
		switch (code) {
		case GET_PARAMETER:
		err = getParameter(node, index, params, size);
		@@ -728,6 +758,10 @@ status_t BnOMX::onTransact(
		}
		}
		}
		} else {
		ALOGE("couldn't map: %s", strerror(errno));
		}
		}

		reply->writeInt32(err);

		@@ -735,7 +769,9 @@ status_t BnOMX::onTransact(
		reply->write(params, size);
		}

		free(params);
		if (params) {
		munmap(params, allocSize);
		}
		params = NULL;

		return NO_ERROR;

media/libstagefright/codecs/aacdec/SoftAAC2.cpp

+25 −0

Original line number	Diff line number	Diff line
		@@ -211,6 +211,10 @@ OMX_ERRORTYPE SoftAAC2::internalGetParameter(
		OMX_AUDIO_PARAM_AACPROFILETYPE *aacParams =
		(OMX_AUDIO_PARAM_AACPROFILETYPE *)params;

		if (!isValidOMXParam(aacParams)) {
		return OMX_ErrorBadParameter;
		}

		if (aacParams->nPortIndex != 0) {
		return OMX_ErrorUndefined;
		}
		@@ -246,6 +250,10 @@ OMX_ERRORTYPE SoftAAC2::internalGetParameter(
		OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
		(OMX_AUDIO_PARAM_PCMMODETYPE *)params;

		if (!isValidOMXParam(pcmParams)) {
		return OMX_ErrorBadParameter;
		}

		if (pcmParams->nPortIndex != 1) {
		return OMX_ErrorUndefined;
		}
		@@ -286,6 +294,10 @@ OMX_ERRORTYPE SoftAAC2::internalSetParameter(
		const OMX_PARAM_COMPONENTROLETYPE *roleParams =
		(const OMX_PARAM_COMPONENTROLETYPE *)params;

		if (!isValidOMXParam(roleParams)) {
		return OMX_ErrorBadParameter;
		}

		if (strncmp((const char *)roleParams->cRole,
		"audio_decoder.aac",
		OMX_MAX_STRINGNAME_SIZE - 1)) {
		@@ -300,6 +312,10 @@ OMX_ERRORTYPE SoftAAC2::internalSetParameter(
		const OMX_AUDIO_PARAM_AACPROFILETYPE *aacParams =
		(const OMX_AUDIO_PARAM_AACPROFILETYPE *)params;

		if (!isValidOMXParam(aacParams)) {
		return OMX_ErrorBadParameter;
		}

		if (aacParams->nPortIndex != 0) {
		return OMX_ErrorUndefined;
		}
		@@ -320,6 +336,11 @@ OMX_ERRORTYPE SoftAAC2::internalSetParameter(
		{
		const OMX_AUDIO_PARAM_ANDROID_AACPRESENTATIONTYPE *aacPresParams =
		(const OMX_AUDIO_PARAM_ANDROID_AACPRESENTATIONTYPE *)params;

		if (!isValidOMXParam(aacPresParams)) {
		return OMX_ErrorBadParameter;
		}

		// for the following parameters of the OMX_AUDIO_PARAM_AACPROFILETYPE structure,
		// a value of -1 implies the parameter is not set by the application:
		// nMaxOutputChannels uses default platform properties, see configureDownmix()
		@@ -386,6 +407,10 @@ OMX_ERRORTYPE SoftAAC2::internalSetParameter(
		const OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
		(OMX_AUDIO_PARAM_PCMMODETYPE *)params;

		if (!isValidOMXParam(pcmParams)) {
		return OMX_ErrorBadParameter;
		}

		if (pcmParams->nPortIndex != 1) {
		return OMX_ErrorUndefined;
		}

media/libstagefright/codecs/aacenc/SoftAACEncoder.cpp

+28 −0

Original line number	Diff line number	Diff line
		@@ -154,6 +154,10 @@ OMX_ERRORTYPE SoftAACEncoder::internalGetParameter(
		OMX_AUDIO_PARAM_PORTFORMATTYPE *formatParams =
		(OMX_AUDIO_PARAM_PORTFORMATTYPE *)params;

		if (!isValidOMXParam(formatParams)) {
		return OMX_ErrorBadParameter;
		}

		if (formatParams->nPortIndex > 1) {
		return OMX_ErrorUndefined;
		}
		@@ -174,6 +178,10 @@ OMX_ERRORTYPE SoftAACEncoder::internalGetParameter(
		OMX_AUDIO_PARAM_AACPROFILETYPE *aacParams =
		(OMX_AUDIO_PARAM_AACPROFILETYPE *)params;

		if (!isValidOMXParam(aacParams)) {
		return OMX_ErrorBadParameter;
		}

		if (aacParams->nPortIndex != 1) {
		return OMX_ErrorUndefined;
		}
		@@ -198,6 +206,10 @@ OMX_ERRORTYPE SoftAACEncoder::internalGetParameter(
		OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
		(OMX_AUDIO_PARAM_PCMMODETYPE *)params;

		if (!isValidOMXParam(pcmParams)) {
		return OMX_ErrorBadParameter;
		}

		if (pcmParams->nPortIndex != 0) {
		return OMX_ErrorUndefined;
		}
		@@ -229,6 +241,10 @@ OMX_ERRORTYPE SoftAACEncoder::internalSetParameter(
		const OMX_PARAM_COMPONENTROLETYPE *roleParams =
		(const OMX_PARAM_COMPONENTROLETYPE *)params;

		if (!isValidOMXParam(roleParams)) {
		return OMX_ErrorBadParameter;
		}

		if (strncmp((const char *)roleParams->cRole,
		"audio_encoder.aac",
		OMX_MAX_STRINGNAME_SIZE - 1)) {
		@@ -243,6 +259,10 @@ OMX_ERRORTYPE SoftAACEncoder::internalSetParameter(
		const OMX_AUDIO_PARAM_PORTFORMATTYPE *formatParams =
		(const OMX_AUDIO_PARAM_PORTFORMATTYPE *)params;

		if (!isValidOMXParam(formatParams)) {
		return OMX_ErrorBadParameter;
		}

		if (formatParams->nPortIndex > 1) {
		return OMX_ErrorUndefined;
		}
		@@ -266,6 +286,10 @@ OMX_ERRORTYPE SoftAACEncoder::internalSetParameter(
		OMX_AUDIO_PARAM_AACPROFILETYPE *aacParams =
		(OMX_AUDIO_PARAM_AACPROFILETYPE *)params;

		if (!isValidOMXParam(aacParams)) {
		return OMX_ErrorBadParameter;
		}

		if (aacParams->nPortIndex != 1) {
		return OMX_ErrorUndefined;
		}
		@@ -286,6 +310,10 @@ OMX_ERRORTYPE SoftAACEncoder::internalSetParameter(
		OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
		(OMX_AUDIO_PARAM_PCMMODETYPE *)params;

		if (!isValidOMXParam(pcmParams)) {
		return OMX_ErrorBadParameter;
		}

		if (pcmParams->nPortIndex != 0) {
		return OMX_ErrorUndefined;
		}

media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp

+28 −0

Original line number	Diff line number	Diff line
		@@ -123,6 +123,10 @@ OMX_ERRORTYPE SoftAACEncoder2::internalGetParameter(
		OMX_AUDIO_PARAM_PORTFORMATTYPE *formatParams =
		(OMX_AUDIO_PARAM_PORTFORMATTYPE *)params;

		if (!isValidOMXParam(formatParams)) {
		return OMX_ErrorBadParameter;
		}

		if (formatParams->nPortIndex > 1) {
		return OMX_ErrorUndefined;
		}
		@@ -143,6 +147,10 @@ OMX_ERRORTYPE SoftAACEncoder2::internalGetParameter(
		OMX_AUDIO_PARAM_AACPROFILETYPE *aacParams =
		(OMX_AUDIO_PARAM_AACPROFILETYPE *)params;

		if (!isValidOMXParam(aacParams)) {
		return OMX_ErrorBadParameter;
		}

		if (aacParams->nPortIndex != 1) {
		return OMX_ErrorUndefined;
		}
		@@ -202,6 +210,10 @@ OMX_ERRORTYPE SoftAACEncoder2::internalGetParameter(
		OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
		(OMX_AUDIO_PARAM_PCMMODETYPE *)params;

		if (!isValidOMXParam(pcmParams)) {
		return OMX_ErrorBadParameter;
		}

		if (pcmParams->nPortIndex != 0) {
		return OMX_ErrorUndefined;
		}
		@@ -233,6 +245,10 @@ OMX_ERRORTYPE SoftAACEncoder2::internalSetParameter(
		const OMX_PARAM_COMPONENTROLETYPE *roleParams =
		(const OMX_PARAM_COMPONENTROLETYPE *)params;

		if (!isValidOMXParam(roleParams)) {
		return OMX_ErrorBadParameter;
		}

		if (strncmp((const char *)roleParams->cRole,
		"audio_encoder.aac",
		OMX_MAX_STRINGNAME_SIZE - 1)) {
		@@ -247,6 +263,10 @@ OMX_ERRORTYPE SoftAACEncoder2::internalSetParameter(
		const OMX_AUDIO_PARAM_PORTFORMATTYPE *formatParams =
		(const OMX_AUDIO_PARAM_PORTFORMATTYPE *)params;

		if (!isValidOMXParam(formatParams)) {
		return OMX_ErrorBadParameter;
		}

		if (formatParams->nPortIndex > 1) {
		return OMX_ErrorUndefined;
		}
		@@ -270,6 +290,10 @@ OMX_ERRORTYPE SoftAACEncoder2::internalSetParameter(
		OMX_AUDIO_PARAM_AACPROFILETYPE *aacParams =
		(OMX_AUDIO_PARAM_AACPROFILETYPE *)params;

		if (!isValidOMXParam(aacParams)) {
		return OMX_ErrorBadParameter;
		}

		if (aacParams->nPortIndex != 1) {
		return OMX_ErrorUndefined;
		}
		@@ -310,6 +334,10 @@ OMX_ERRORTYPE SoftAACEncoder2::internalSetParameter(
		OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
		(OMX_AUDIO_PARAM_PCMMODETYPE *)params;

		if (!isValidOMXParam(pcmParams)) {
		return OMX_ErrorBadParameter;
		}

		if (pcmParams->nPortIndex != 0) {
		return OMX_ErrorUndefined;
		}

media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp

+20 −0

Original line number	Diff line number	Diff line
		@@ -148,6 +148,10 @@ OMX_ERRORTYPE SoftAMR::internalGetParameter(
		OMX_AUDIO_PARAM_AMRTYPE *amrParams =
		(OMX_AUDIO_PARAM_AMRTYPE *)params;

		if (!isValidOMXParam(amrParams)) {
		return OMX_ErrorBadParameter;
		}

		if (amrParams->nPortIndex != 0) {
		return OMX_ErrorUndefined;
		}
		@@ -174,6 +178,10 @@ OMX_ERRORTYPE SoftAMR::internalGetParameter(
		OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
		(OMX_AUDIO_PARAM_PCMMODETYPE *)params;

		if (!isValidOMXParam(pcmParams)) {
		return OMX_ErrorBadParameter;
		}

		if (pcmParams->nPortIndex != 1) {
		return OMX_ErrorUndefined;
		}
		@@ -207,6 +215,10 @@ OMX_ERRORTYPE SoftAMR::internalSetParameter(
		const OMX_PARAM_COMPONENTROLETYPE *roleParams =
		(const OMX_PARAM_COMPONENTROLETYPE *)params;

		if (!isValidOMXParam(roleParams)) {
		return OMX_ErrorBadParameter;
		}

		if (mMode == MODE_NARROW) {
		if (strncmp((const char *)roleParams->cRole,
		"audio_decoder.amrnb",
		@@ -229,6 +241,10 @@ OMX_ERRORTYPE SoftAMR::internalSetParameter(
		const OMX_AUDIO_PARAM_AMRTYPE *aacParams =
		(const OMX_AUDIO_PARAM_AMRTYPE *)params;

		if (!isValidOMXParam(aacParams)) {
		return OMX_ErrorBadParameter;
		}

		if (aacParams->nPortIndex != 0) {
		return OMX_ErrorUndefined;
		}
		@@ -241,6 +257,10 @@ OMX_ERRORTYPE SoftAMR::internalSetParameter(
		const OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
		(OMX_AUDIO_PARAM_PCMMODETYPE *)params;

		if (!isValidOMXParam(pcmParams)) {
		return OMX_ErrorBadParameter;
		}

		if (pcmParams->nPortIndex != 1) {
		return OMX_ErrorUndefined;
		}