Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ce7b20fe authored by Harish Mahendrakar's avatar Harish Mahendrakar Committed by Lajos Molnar
Browse files

OMXNodeInstance: Validate size of structures 

Bug: 273935108
Bug: 273934916
Bug: 273935036
Bug: 273934540
Bug: 273935851
Bug: 273729671
Bug: 273933441
Bug: 273937551
Bug: 273935851

Test: poc in bug
(cherry picked from https://partner-android-review.googlesource.com/q/commit:a8bb1fc5da615305826220b9b1b1b30b7dedf6a9)
Merged-In: I5130d015cbce1b30d6f4fffeaa4cf3b35c974184
Change-Id: I5130d015cbce1b30d6f4fffeaa4cf3b35c974184
(cherry picked from commit b5cdaa40)
parent edf60c63

media/libstagefright/omx/OMXNodeInstance.cpp

+38 −1
Original line number Diff line number Diff line
@@ -102,6 +102,21 @@ static const OMX_U32 kPortIndexOutput = 1; 


namespace android {



static bool isValidOmxParamSize(const void *params, OMX_U32 size) {

    // expect the vector to contain at least the size and version, two OMX_U32 entries.

    if (size < 2 * sizeof(OMX_U32)) {

        return false;

    }



    // expect the vector to be as large as the declared size

    OMX_U32 *buf = (OMX_U32 *)params;

    OMX_U32 declaredSize = *(OMX_U32*)buf;

    if (declaredSize > size) {

        return false;

    }

    return true;

}



struct BufferMeta {

    explicit BufferMeta(

            const sp<IMemory> &mem, const sp<IHidlMemory> &hidlMemory,
@@ -683,6 +698,18 @@ bool OMXNodeInstance::isProhibitedIndex_l(OMX_INDEXTYPE index) { 


status_t OMXNodeInstance::getParameter(

        OMX_INDEXTYPE index, void *params, size_t size) {

    OMX_INDEXEXTTYPE extIndex = (OMX_INDEXEXTTYPE)index;

    if (extIndex == OMX_IndexParamConsumerUsageBits) {

        // expect the size to be 4 bytes for OMX_IndexParamConsumerUsageBits

        if (size != sizeof(OMX_U32)) {

            return BAD_VALUE;

        }

    } else {

        if (!isValidOmxParamSize(params, size)) {

            return BAD_VALUE;

        }

    }



    Mutex::Autolock autoLock(mLock);

    if (mHandle == NULL) {

        return DEAD_OBJECT;
@@ -694,7 +721,6 @@ status_t OMXNodeInstance::getParameter( 
    }



    OMX_ERRORTYPE err = OMX_GetParameter(mHandle, index, params);

    OMX_INDEXEXTTYPE extIndex = (OMX_INDEXEXTTYPE)index;

    // some errors are expected for getParameter

    if (err != OMX_ErrorNoMore) {

        CLOG_IF_ERROR(getParameter, err, "%s(%#x)", asString(extIndex), index);
@@ -705,6 +731,10 @@ status_t OMXNodeInstance::getParameter( 


status_t OMXNodeInstance::setParameter(

        OMX_INDEXTYPE index, const void *params, size_t size) {

    if (!isValidOmxParamSize(params, size)) {

        return BAD_VALUE;

    }



    Mutex::Autolock autoLock(mLock);

    if (mHandle == NULL) {

        return DEAD_OBJECT;
@@ -731,6 +761,9 @@ status_t OMXNodeInstance::setParameter( 


status_t OMXNodeInstance::getConfig(

        OMX_INDEXTYPE index, void *params, size_t size) {

    if (!isValidOmxParamSize(params, size)) {

        return BAD_VALUE;

    }

    Mutex::Autolock autoLock(mLock);

    if (mHandle == NULL) {

        return DEAD_OBJECT;
@@ -754,6 +787,10 @@ status_t OMXNodeInstance::getConfig( 


status_t OMXNodeInstance::setConfig(

        OMX_INDEXTYPE index, const void *params, size_t size) {

    if (!isValidOmxParamSize(params, size)) {

        return BAD_VALUE;

    }



    Mutex::Autolock autoLock(mLock);

    if (mHandle == NULL) {

        return DEAD_OBJECT;