97e3ddfad60bf0417cbbc93dda97d2b887589fc0 |
|
25-Apr-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vdec: Avoid processing ETBs/FTBs in invalid states (per the spec) ETB/FTB should not be handled in states other than Executing, Paused and Idle. This avoids accessing invalid buffers. Also add a lock to protect the private-buffers from being deleted while accessing from another thread. Bug: 27890802 Security Vulnerability - Heap Use-After-Free and Possible LPE in MediaServer (libOmxVdec problem #6) Change-Id: Iaac2e383cd53cf9cf8042c9ed93ddc76dba3907e
/hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
|
c9770704a9bb7c26205cf0e5bca05d4397aab1c3 |
|
17-Mar-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vidc: fix matching of extension strings Using strncmp with the strlen of source string can result in false positives when it is a substring of the passed string. Eg: strncmp("OMX.extn.x", "OMX.extn.xyz", strlen(OMX.extn.x)) will result in a match. Use strcmp instead. Bug: 27344524 Change-Id: I68839f2bea8b97a31f43885538e9dce51aa8c1b4
/hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
|
ff8f9f29b46df8de6dba9bda31eab4beb67146b8 |
|
23-Mar-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vdec: deprecate unused config OMX_IndexVendorVideoExtraData This config (used to set header offline) is no longer used. Remove handling this config since it uses non-process-safe ways to pass memory pointers. Fixes: Security Vulnerability - Segfault in MediaServer (libOmxVdec problem #2) Bug: 27475409 Change-Id: I7a535a3da485cbe83cf4605a05f9faf70dcca42f
/hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
|
fd65fa891104fd7cedb06a8ba0849934dae63640 |
|
23-Mar-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vdec: add safety checks for freeing buffers Allow only up to 64 buffers on input/output port (since the allocation bitmap is only 64-wide). Do not allow changing the actual buffer count while still holding allocation (Client can technically negotiate buffer count on a free/disabled port) Add safety checks to free only as many buffers were allocated. Fixes: Security Vulnerability - Heap Overflow and Possible Local Privilege Escalation in MediaServer (libOmxVdec problem #3) Bug: 27532282 27661749 Change-Id: I06dd680d43feaef3efdc87311e8a6703e234b523
/hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
|
af0b35a2e7f4d246242c0f35fcde04858dd6670d |
|
05-Apr-2016 |
Steve Pfetsch <spfetsch@google.com> |
Merge "mm-video-v4l2: vdec: Add range check before native_buffer usage" into nyc-dev
|
00c00c349f132b5bba20e26ed54d01e9be9f87e4 |
|
31-Mar-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vdec: Add range check before native_buffer usage Restore missing buffer-index calculation, without which, native-handles were not being saved properly and NULL handles got sent out to gralloc::setMetadata A bad buffer index can cause the OMX component to make an out of bound read/write access on the native_buffer array and cause a crash. Add range check to fix the issue. Bug: 25976027 Change-Id: I684a501a1a71898b5c1c80566125459a5972c959
/hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
|
16ee85d1d456a4b694fd32baa5f52341e638b5d8 |
|
30-Mar-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vidc: validate omx param/config data Check the sanity of config/param strcuture objects passed to get/set _ config()/parameter() methods. Bug: 27533317 Security Vulnerability in MediaServer omx_vdec::get_config() Can lead to arbitrary write Change-Id: I6c3243afe12055ab94f1a1ecf758c10e88231809
/hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
|
e4010605f233a213cf0d972397bb33c34c364227 |
|
07-Mar-2016 |
Patrick Tjin <pattjin@google.com> |
Initial import of msm8996 media HAL 1) Move existing HAL to msm8974/ 2) Import msm8996 HAL from LA.HB.1.1.2_rb1.12 3) Modify Makefiles to remove kernel dependencies and fix for new directory structure 4) Modify top level makefile for new directory structure Top commits from LA.HB.1.1.2_rb1.12 included in this commit: db7937a mm-video: vidc: memset struct v4l2_format prior to S_FMT d77ab10 Merge "mm-video-v4l2: vidc: Do not queue output buffer if flush is in progress" 8895985 mm-video-v4l2: vidc: vdec: Add property to disable UBWC for OPB 675af75 Merge "mm-video: vidc: Communicate the right colorformat to the driver" dd79df2 Merge "mm-video: vidc: Reliably stop the message thread" c3e8618 Merge "mm-video-v4l2: vidc: venc: Fix B-Frame handling" 755ec08 mm-video-v4l2: vidc: Do not queue output buffer if flush is in progress 3ac8410 mm-video: vidc: Reliably stop the message thread b73dcba Merge "mm-video-v4l2: vidc: venc: Bug fixes for VZIP" 8358109 Merge "mm-video-v4l2: vdec: fix picture type decode mode return status" BUG=27420204 Signed-off-by: Patrick Tjin <pattjin@google.com> Change-Id: I71aa0190e48b332268334677894b0ad7c606296b
/hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
|