7d951403ff6549b9d0c84b2b41a9d363c27a28fc |
22-Jul-2017 |
Santhosh Behara <santhoshbehara@codeaurora.org> |
mm-video-v4l2: venc: Protect buffer from being freed while accessing Output buffer(in use-buffer mode) has an internal backup ion buffer. The contents of this buffer are deep-copied in client's buffer in the context of VideoEncCallBackThread; while this buffer can be freed in the client thread's context. Check the allocation bitmask before attempting to copy and synchronize these operations by holding a lock Fixes bug 36130225 Security Vulnerability - Heap use after free in libOmxVenc CRs-Fixed: 2053101 Bug: 36130225 Change-Id: If5e89703b2dec0aee8acb7e897e9df94227af3f3 Author: Praveen Chavan<pchavan@codeaurora.org> (cherry picked from commit 0008e212118f9172e0e6cbafd679ce0a42cbf019)
enc/inc/omx_video_base.h
enc/src/omx_video_base.cpp
enc/src/omx_video_encoder.cpp
|
7c03ed4f9e7ef832adfc34771e27a26aa2da9b2e |
19-Oct-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vdec: Disallow input usebuffer for secure case am: 7b99376ecf Change-Id: I8104f710d235307138c01dda4c19ad006aa5788b
|
7b99376ecf7a6746e3bcb146975c00fc9ea560ab |
17-Sep-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vdec: Disallow input usebuffer for secure case In secure mode, input buffer _must_ be allocated by the component to allocate a secure buffer. Client-supplied memory via usebuffer does not qualify as secure-memory and must be rejected. This also avoids accidental heap-overflow while copying bitstream from user-memory to a smaller-sized secure-payload (usually the buffer-header itself) Bug : 30148882 Fixes : Heap Overflow/LPE in MediaServer (libOmxVdec problem #11) CRs-Fixed: 1071731 Change-Id: Ibbde2d6a9c1f30e8482a533cadb13e44d8dcb2c0
dec/src/omx_vdec_msm8974.cpp
|
9ff997e158806d5968b7badfabac1eab3a2a0f07 |
14-Oct-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: venc: Disallow changing buffer count/size on allocated port am: b7b6466da4 am: 3a1263e033 Change-Id: I4c45d329bf3c803f59fae3fc2578188b018db1ca
|
526394de98d82686394713a59c70e64d7ddb12b8 |
14-Oct-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vdec: Disallow changing buffer modes/counts on allocated ports am: ee06e61ff4 am: 8784ace2ba Change-Id: I3a83d20fd685178d0105c30edf16e243d66affec
|
3a1263e033a69329c172a0db4477787050ec5c3c |
14-Oct-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: venc: Disallow changing buffer count/size on allocated port am: b7b6466da4 Change-Id: Idd7669adc3d4ac1b137d89c88aad893436bef19e
|
8784ace2ba59bd2729f2cde9ff0df8d0d8d5a816 |
14-Oct-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vdec: Disallow changing buffer modes/counts on allocated ports am: ee06e61ff4 Change-Id: I226d535a430d2790338224598beba99a3936f4a2
|
b7b6466da41081776b21ab4d4955a706d7f6b7ca |
17-Aug-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: venc: Disallow changing buffer count/size on allocated port Count and size negotiation of port-buffers should only be allowed when the port hasn't been allocated yet. Letting the client change count/size on a pre-allocated port will cause inconsistencies in the count/size of memory allocated for headers and internal lists. Fix resetting of buffer-base (m_inp_mem_ptr) when all buffers are freed, for all the buffer-modes. Bug: 29421682 Fixes: Local Privilege Escalation in MediaServer (libOmxVenc problem #10) Change-Id: I9abead969bc3c908e6db9beb6316fd572dac25f7
enc/src/omx_video_base.cpp
enc/src/omx_video_encoder.cpp
|
ee06e61ff49357884de5c6714828c263966895ee |
17-Aug-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vdec: Disallow changing buffer modes/counts on allocated ports Changing Count, size, usage-mode (metadata/bytebuffer/native-handle) or allocation-mode (allocateBuffer/UseBuffer) of buffers should only be allowed when the port hasn't been allocated yet. Since buffer-modes determine the payload-size in case of meta-buffer-mode, and also determine the memory-base to derive buffer indices from buffer- headers, letting the client change count/size/mode on a pre-allocated port will cause inconsistencies in the size of memory allocated for headers and lead to index overflows. Fix the range checks for the derived buffer-indices to avoid out-of-bounds writes. Also, ensure buffer-mode settings (metadata-mode, native-handle-mode) are intended for the right ports. Bug: 29617572 : Heap Overflow/LPE in MediaServer (libOmxVdec problem #8) Bug: 29982686 : Memory Write/LPE in MediaServer (libOmxVdec problem #10) Change-Id: I619636a48779580c247bffb3752c3e4025b46542
dec/src/omx_vdec_msm8974.cpp
|
03783f82008b7447073e0da4550da02bdc2286cf |
30-Mar-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: venc: add support for encoding with temporal layers Implement OMX_IndexParamAndroidVideoTemporalLayers to expose configuration of temporal-layered encoding to client. Layer-wise bitrate support and changing layer-count dynamically is not supported. Bug: 27596987 Change-Id: Ib32e7aea22e2cbaf78a903561b67de7d14ed57e5
enc/inc/omx_video_base.h
enc/inc/omx_video_encoder.h
enc/inc/video_encoder_device_v4l2.h
enc/src/omx_video_base.cpp
enc/src/omx_video_encoder.cpp
enc/src/video_encoder_device_v4l2.cpp
|
0442f2ca1a72c6a6c6fea429fafff88cddbf50cc |
20-Jun-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: venc: Configure intra preriod for HEVC HEVC's main config param now supports key-frame-interval. Use this information to configure the intra-period. i.e configure number of P-Frames (assuming no B-frames) Bug: 29494247 CRs-Fixed: 1023504 Change-Id: I3d2f0df3a5ab3b7d659ae58ae6f4df5898006934
enc/src/video_encoder_device_v4l2.cpp
|
f89f2c65e17c4f6df0845ac099e9197af317283e |
22-Jun-2016 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "mm-video-v4l2: venc: add checks before accessing heap pointers" into nyc-dev
|
d99a08f99689df977dfc585a436ada5acf4f2a25 |
16-Jun-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: venc: add checks before accessing heap pointers Heap pointers do not point to user virtual addresses in case of secure session. Set them to NULL and add checks to avoid accesing them Bug: 28815329 Bug: 28920116 Change-Id: I94fd5808e753b58654d65e175d3857ef46ffba26
enc/src/omx_video_base.cpp
enc/src/omx_video_encoder.cpp
enc/src/video_encoder_device_v4l2.cpp
|
3957953f027b784f2d55d96d388c8107371eb9db |
26-May-2016 |
Wonsik Kim <wonsik@google.com> |
Fix wrong nAllocLen Set nAllocLen to the size of the opaque handle itself. Bug: 28816964 Bug: 28816827 Change-Id: Id410e324bee291d4a0018dddb97eda9bbcded099
enc/src/omx_video_base.cpp
|
14a9920aa26f6b237957001090b127c9d79ac12e |
25-Apr-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: venc: Avoid processing ETBs/FTBs in invalid states (per the spec) ETB/FTB should not be handled in states other than Executing, Paused and Idle. This avoids accessing invalid buffers. Also add a lock to protect the private-buffers from being deleted while accessing from another thread. Bug: 27903498 Security Vulnerability - Heap Use-After-Free and Possible LPE in MediaServer (libOmxVenc problem #3) Change-Id: I898b42034c0add621d4f9d8e02ca0ed4403d4fd3
enc/src/omx_video_base.cpp
|
97e3ddfad60bf0417cbbc93dda97d2b887589fc0 |
25-Apr-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vdec: Avoid processing ETBs/FTBs in invalid states (per the spec) ETB/FTB should not be handled in states other than Executing, Paused and Idle. This avoids accessing invalid buffers. Also add a lock to protect the private-buffers from being deleted while accessing from another thread. Bug: 27890802 Security Vulnerability - Heap Use-After-Free and Possible LPE in MediaServer (libOmxVdec problem #6) Change-Id: Iaac2e383cd53cf9cf8042c9ed93ddc76dba3907e
ommon/inc/vidc_debug.h
dec/inc/omx_vdec.h
dec/src/omx_vdec_msm8974.cpp
|
0db330f0ede890a2c99a73b5c5e53c41a2c87aa3 |
30-Apr-2016 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "mm-video-v4l2: vidc: fix matching of extension strings" into nyc-dev
|
1c3edf4ea2b794bc00a1d1fce7d14fd20423b939 |
08-Apr-2016 |
Hangyu Kuang <hkuang@google.com> |
Merge "mm-video-v4l2: vidc: Add support for OMX_IndexConfigAndroidIntraRefresh" into nyc-dev
|
f1b15e15b61a610b6d0a78797e9a5a3f2cfdd56c |
30-Mar-2016 |
Arun Menon <avmenon@codeaurora.org> |
mm-video-v4l2: vidc: Add support for OMX_IndexConfigAndroidIntraRefresh OMX Component will support OMX_IndexConfigAndroidIntraRefresh only in loaded state. Bug: 27108817 Change-Id: I213fed57842b94c333843871d6c555e1fb8784e5
enc/inc/omx_video_base.h
enc/src/omx_video_base.cpp
enc/src/omx_video_encoder.cpp
enc/src/video_encoder_device_v4l2.cpp
|
c9770704a9bb7c26205cf0e5bca05d4397aab1c3 |
17-Mar-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vidc: fix matching of extension strings Using strncmp with the strlen of source string can result in false positives when it is a substring of the passed string. Eg: strncmp("OMX.extn.x", "OMX.extn.xyz", strlen(OMX.extn.x)) will result in a match. Use strcmp instead. Bug: 27344524 Change-Id: I68839f2bea8b97a31f43885538e9dce51aa8c1b4
dec/src/omx_vdec_msm8974.cpp
enc/src/omx_video_base.cpp
|
f45517f0fc54776d5e9b78172af4453915991c73 |
07-Apr-2016 |
Ajay Dudani <adudani@google.com> |
Merge "media: Enable support for msm8952 target" into nyc-dev
|
7c1a4b1738ca4b68a2d734d61245f19b7f785465 |
07-Apr-2016 |
Ajay Dudani <adudani@google.com> |
media: Enable support for msm8952 target Change-Id: I8aae920d59fdd36e39ca2163a8bb11aa0f8c6947
dec.mk
enc.mk
|
ff8f9f29b46df8de6dba9bda31eab4beb67146b8 |
23-Mar-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vdec: deprecate unused config OMX_IndexVendorVideoExtraData This config (used to set header offline) is no longer used. Remove handling this config since it uses non-process-safe ways to pass memory pointers. Fixes: Security Vulnerability - Segfault in MediaServer (libOmxVdec problem #2) Bug: 27475409 Change-Id: I7a535a3da485cbe83cf4605a05f9faf70dcca42f
dec/src/omx_vdec_msm8974.cpp
|
fd65fa891104fd7cedb06a8ba0849934dae63640 |
23-Mar-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vdec: add safety checks for freeing buffers Allow only up to 64 buffers on input/output port (since the allocation bitmap is only 64-wide). Do not allow changing the actual buffer count while still holding allocation (Client can technically negotiate buffer count on a free/disabled port) Add safety checks to free only as many buffers were allocated. Fixes: Security Vulnerability - Heap Overflow and Possible Local Privilege Escalation in MediaServer (libOmxVdec problem #3) Bug: 27532282 27661749 Change-Id: I06dd680d43feaef3efdc87311e8a6703e234b523
dec/inc/omx_vdec.h
dec/src/omx_vdec_msm8974.cpp
|
417bd6d3d293ef616a5a33741cfd6ac8c50f685f |
21-Mar-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: venc: add safety checks for freeing buffers Allow only up to 64 buffers on input/output port (since the allocation bitmap is only 64-wide). Add safety checks to free only as many buffers were allocated. Fixes: Heap Overflow and Possible Local Privilege Escalation in MediaServer (libOmxVenc problem) Bug: 27532497 Change-Id: I31e576ef9dc542df73aa6b0ea113d72724b50fc6
enc/inc/omx_video_base.h
enc/src/omx_video_base.cpp
enc/src/omx_video_encoder.cpp
|
af0b35a2e7f4d246242c0f35fcde04858dd6670d |
05-Apr-2016 |
Steve Pfetsch <spfetsch@google.com> |
Merge "mm-video-v4l2: vdec: Add range check before native_buffer usage" into nyc-dev
|
00c00c349f132b5bba20e26ed54d01e9be9f87e4 |
31-Mar-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vdec: Add range check before native_buffer usage Restore missing buffer-index calculation, without which, native-handles were not being saved properly and NULL handles got sent out to gralloc::setMetadata A bad buffer index can cause the OMX component to make an out of bound read/write access on the native_buffer array and cause a crash. Add range check to fix the issue. Bug: 25976027 Change-Id: I684a501a1a71898b5c1c80566125459a5972c959
dec/src/omx_vdec_msm8974.cpp
|
16ee85d1d456a4b694fd32baa5f52341e638b5d8 |
30-Mar-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vidc: validate omx param/config data Check the sanity of config/param strcuture objects passed to get/set _ config()/parameter() methods. Bug: 27533317 Security Vulnerability in MediaServer omx_vdec::get_config() Can lead to arbitrary write Change-Id: I6c3243afe12055ab94f1a1ecf758c10e88231809
ommon/inc/vidc_debug.h
dec/src/omx_vdec_msm8974.cpp
enc/src/omx_video_base.cpp
enc/src/omx_video_encoder.cpp
|
e4010605f233a213cf0d972397bb33c34c364227 |
07-Mar-2016 |
Patrick Tjin <pattjin@google.com> |
Initial import of msm8996 media HAL 1) Move existing HAL to msm8974/ 2) Import msm8996 HAL from LA.HB.1.1.2_rb1.12 3) Modify Makefiles to remove kernel dependencies and fix for new directory structure 4) Modify top level makefile for new directory structure Top commits from LA.HB.1.1.2_rb1.12 included in this commit: db7937a mm-video: vidc: memset struct v4l2_format prior to S_FMT d77ab10 Merge "mm-video-v4l2: vidc: Do not queue output buffer if flush is in progress" 8895985 mm-video-v4l2: vidc: vdec: Add property to disable UBWC for OPB 675af75 Merge "mm-video: vidc: Communicate the right colorformat to the driver" dd79df2 Merge "mm-video: vidc: Reliably stop the message thread" c3e8618 Merge "mm-video-v4l2: vidc: venc: Fix B-Frame handling" 755ec08 mm-video-v4l2: vidc: Do not queue output buffer if flush is in progress 3ac8410 mm-video: vidc: Reliably stop the message thread b73dcba Merge "mm-video-v4l2: vidc: venc: Bug fixes for VZIP" 8358109 Merge "mm-video-v4l2: vdec: fix picture type decode mode return status" BUG=27420204 Signed-off-by: Patrick Tjin <pattjin@google.com> Change-Id: I71aa0190e48b332268334677894b0ad7c606296b
ndroid.mk
ommon/inc/extra_data_handler.h
ommon/inc/vidc_color_converter.h
ommon/inc/vidc_debug.h
ommon/src/extra_data_handler.cpp
ommon/src/vidc_color_converter.cpp
dec.mk
dec/inc/Map.h
dec/inc/decoder_driver_test.h
dec/inc/frameparser.h
dec/inc/h264_utils.h
dec/inc/hevc_utils.h
dec/inc/message_queue.h
dec/inc/mp4_utils.h
dec/inc/omx_vdec.h
dec/inc/omx_vdec_hevc.h
dec/inc/power_module.h
dec/inc/qtypes.h
dec/inc/queue.h
dec/inc/ts_parser.h
dec/src/frameparser.cpp
dec/src/h264_utils.cpp
dec/src/hevc_utils.cpp
dec/src/message_queue.c
dec/src/mp4_utils.cpp
dec/src/omx_vdec.cpp
dec/src/omx_vdec_hevc.cpp
dec/src/omx_vdec_hevc_swvdec.cpp
dec/src/omx_vdec_msm8974.cpp
dec/src/power_module.cpp
dec/src/queue.c
dec/src/ts_parser.cpp
dec/test/decoder_driver_test.c
dec/test/omx_vdec_test.cpp
enc.mk
enc/inc/camera_test.h
enc/inc/fb_test.h
enc/inc/omx_video_base.h
enc/inc/omx_video_common.h
enc/inc/omx_video_encoder.h
enc/inc/queue.h
enc/inc/venc_util.h
enc/inc/video_encoder_device.h
enc/inc/video_encoder_device_v4l2.h
enc/inc/video_encoder_test.h
enc/src/omx_video_base.cpp
enc/src/omx_video_encoder.cpp
enc/src/video_encoder_device.cpp
enc/src/video_encoder_device_v4l2.cpp
enc/test/venc_test.cpp
|