Cross Reference: /hardware/qcom/media/msm8974/mm-video-v4l2/vidc/

History log of /hardware/qcom/media/msm8974/mm-video-v4l2/vidc/
Revision	Date	Author	Comments (<<< Hide modified files) (Show modified files >>>)
7d951403ff6549b9d0c84b2b41a9d363c27a28fc	22-Jul-2017	Santhosh Behara <santhoshbehara@codeaurora.org>	mm-video-v4l2: venc: Protect buffer from being freed while accessing Output buffer(in use-buffer mode) has an internal backup ion buffer. The contents of this buffer are deep-copied in client's buffer in the context of VideoEncCallBackThread; while this buffer can be freed in the client thread's context. Check the allocation bitmask before attempting to copy and synchronize these operations by holding a lock Fixes bug 36130225 Security Vulnerability - Heap use after free in libOmxVenc CRs-Fixed: 2053101 Bug: 36130225 Change-Id: If5e89703b2dec0aee8acb7e897e9df94227af3f3 Author: Praveen Chavan<pchavan@codeaurora.org> (cherry picked from commit 0008e212118f9172e0e6cbafd679ce0a42cbf019) enc/inc/omx_video_base.h enc/src/omx_video_base.cpp enc/src/omx_video_encoder.cpp
7c03ed4f9e7ef832adfc34771e27a26aa2da9b2e	19-Oct-2016	Praveen Chavan <pchavan@codeaurora.org>	mm-video-v4l2: vdec: Disallow input usebuffer for secure case am: 7b99376ecf Change-Id: I8104f710d235307138c01dda4c19ad006aa5788b
7b99376ecf7a6746e3bcb146975c00fc9ea560ab	17-Sep-2016	Praveen Chavan <pchavan@codeaurora.org>	mm-video-v4l2: vdec: Disallow input usebuffer for secure case In secure mode, input buffer _must_ be allocated by the component to allocate a secure buffer. Client-supplied memory via usebuffer does not qualify as secure-memory and must be rejected. This also avoids accidental heap-overflow while copying bitstream from user-memory to a smaller-sized secure-payload (usually the buffer-header itself) Bug : 30148882 Fixes : Heap Overflow/LPE in MediaServer (libOmxVdec problem #11) CRs-Fixed: 1071731 Change-Id: Ibbde2d6a9c1f30e8482a533cadb13e44d8dcb2c0 dec/src/omx_vdec_msm8974.cpp
9ff997e158806d5968b7badfabac1eab3a2a0f07	14-Oct-2016	Praveen Chavan <pchavan@codeaurora.org>	mm-video-v4l2: venc: Disallow changing buffer count/size on allocated port am: b7b6466da4 am: 3a1263e033 Change-Id: I4c45d329bf3c803f59fae3fc2578188b018db1ca
526394de98d82686394713a59c70e64d7ddb12b8	14-Oct-2016	Praveen Chavan <pchavan@codeaurora.org>	mm-video-v4l2: vdec: Disallow changing buffer modes/counts on allocated ports am: ee06e61ff4 am: 8784ace2ba Change-Id: I3a83d20fd685178d0105c30edf16e243d66affec
3a1263e033a69329c172a0db4477787050ec5c3c	14-Oct-2016	Praveen Chavan <pchavan@codeaurora.org>	mm-video-v4l2: venc: Disallow changing buffer count/size on allocated port am: b7b6466da4 Change-Id: Idd7669adc3d4ac1b137d89c88aad893436bef19e
8784ace2ba59bd2729f2cde9ff0df8d0d8d5a816	14-Oct-2016	Praveen Chavan <pchavan@codeaurora.org>	mm-video-v4l2: vdec: Disallow changing buffer modes/counts on allocated ports am: ee06e61ff4 Change-Id: I226d535a430d2790338224598beba99a3936f4a2
b7b6466da41081776b21ab4d4955a706d7f6b7ca	17-Aug-2016	Praveen Chavan <pchavan@codeaurora.org>	mm-video-v4l2: venc: Disallow changing buffer count/size on allocated port Count and size negotiation of port-buffers should only be allowed when the port hasn't been allocated yet. Letting the client change count/size on a pre-allocated port will cause inconsistencies in the count/size of memory allocated for headers and internal lists. Fix resetting of buffer-base (m_inp_mem_ptr) when all buffers are freed, for all the buffer-modes. Bug: 29421682 Fixes: Local Privilege Escalation in MediaServer (libOmxVenc problem #10) Change-Id: I9abead969bc3c908e6db9beb6316fd572dac25f7 enc/src/omx_video_base.cpp enc/src/omx_video_encoder.cpp
ee06e61ff49357884de5c6714828c263966895ee	17-Aug-2016	Praveen Chavan <pchavan@codeaurora.org>	mm-video-v4l2: vdec: Disallow changing buffer modes/counts on allocated ports Changing Count, size, usage-mode (metadata/bytebuffer/native-handle) or allocation-mode (allocateBuffer/UseBuffer) of buffers should only be allowed when the port hasn't been allocated yet. Since buffer-modes determine the payload-size in case of meta-buffer-mode, and also determine the memory-base to derive buffer indices from buffer- headers, letting the client change count/size/mode on a pre-allocated port will cause inconsistencies in the size of memory allocated for headers and lead to index overflows. Fix the range checks for the derived buffer-indices to avoid out-of-bounds writes. Also, ensure buffer-mode settings (metadata-mode, native-handle-mode) are intended for the right ports. Bug: 29617572 : Heap Overflow/LPE in MediaServer (libOmxVdec problem #8) Bug: 29982686 : Memory Write/LPE in MediaServer (libOmxVdec problem #10) Change-Id: I619636a48779580c247bffb3752c3e4025b46542 dec/src/omx_vdec_msm8974.cpp
03783f82008b7447073e0da4550da02bdc2286cf	30-Mar-2016	Praveen Chavan <pchavan@codeaurora.org>	mm-video-v4l2: venc: add support for encoding with temporal layers Implement OMX_IndexParamAndroidVideoTemporalLayers to expose configuration of temporal-layered encoding to client. Layer-wise bitrate support and changing layer-count dynamically is not supported. Bug: 27596987 Change-Id: Ib32e7aea22e2cbaf78a903561b67de7d14ed57e5 enc/inc/omx_video_base.h enc/inc/omx_video_encoder.h enc/inc/video_encoder_device_v4l2.h enc/src/omx_video_base.cpp enc/src/omx_video_encoder.cpp enc/src/video_encoder_device_v4l2.cpp
0442f2ca1a72c6a6c6fea429fafff88cddbf50cc	20-Jun-2016	Praveen Chavan <pchavan@codeaurora.org>	mm-video-v4l2: venc: Configure intra preriod for HEVC HEVC's main config param now supports key-frame-interval. Use this information to configure the intra-period. i.e configure number of P-Frames (assuming no B-frames) Bug: 29494247 CRs-Fixed: 1023504 Change-Id: I3d2f0df3a5ab3b7d659ae58ae6f4df5898006934 enc/src/video_encoder_device_v4l2.cpp
f89f2c65e17c4f6df0845ac099e9197af317283e	22-Jun-2016	TreeHugger Robot <treehugger-gerrit@google.com>	Merge "mm-video-v4l2: venc: add checks before accessing heap pointers" into nyc-dev
d99a08f99689df977dfc585a436ada5acf4f2a25	16-Jun-2016	Praveen Chavan <pchavan@codeaurora.org>	mm-video-v4l2: venc: add checks before accessing heap pointers Heap pointers do not point to user virtual addresses in case of secure session. Set them to NULL and add checks to avoid accesing them Bug: 28815329 Bug: 28920116 Change-Id: I94fd5808e753b58654d65e175d3857ef46ffba26 enc/src/omx_video_base.cpp enc/src/omx_video_encoder.cpp enc/src/video_encoder_device_v4l2.cpp
3957953f027b784f2d55d96d388c8107371eb9db	26-May-2016	Wonsik Kim <wonsik@google.com>	Fix wrong nAllocLen Set nAllocLen to the size of the opaque handle itself. Bug: 28816964 Bug: 28816827 Change-Id: Id410e324bee291d4a0018dddb97eda9bbcded099 enc/src/omx_video_base.cpp
14a9920aa26f6b237957001090b127c9d79ac12e	25-Apr-2016	Praveen Chavan <pchavan@codeaurora.org>	mm-video-v4l2: venc: Avoid processing ETBs/FTBs in invalid states (per the spec) ETB/FTB should not be handled in states other than Executing, Paused and Idle. This avoids accessing invalid buffers. Also add a lock to protect the private-buffers from being deleted while accessing from another thread. Bug: 27903498 Security Vulnerability - Heap Use-After-Free and Possible LPE in MediaServer (libOmxVenc problem #3) Change-Id: I898b42034c0add621d4f9d8e02ca0ed4403d4fd3 enc/src/omx_video_base.cpp
97e3ddfad60bf0417cbbc93dda97d2b887589fc0	25-Apr-2016	Praveen Chavan <pchavan@codeaurora.org>	mm-video-v4l2: vdec: Avoid processing ETBs/FTBs in invalid states (per the spec) ETB/FTB should not be handled in states other than Executing, Paused and Idle. This avoids accessing invalid buffers. Also add a lock to protect the private-buffers from being deleted while accessing from another thread. Bug: 27890802 Security Vulnerability - Heap Use-After-Free and Possible LPE in MediaServer (libOmxVdec problem #6) Change-Id: Iaac2e383cd53cf9cf8042c9ed93ddc76dba3907e ommon/inc/vidc_debug.h dec/inc/omx_vdec.h dec/src/omx_vdec_msm8974.cpp
0db330f0ede890a2c99a73b5c5e53c41a2c87aa3	30-Apr-2016	TreeHugger Robot <treehugger-gerrit@google.com>	Merge "mm-video-v4l2: vidc: fix matching of extension strings" into nyc-dev
1c3edf4ea2b794bc00a1d1fce7d14fd20423b939	08-Apr-2016	Hangyu Kuang <hkuang@google.com>	Merge "mm-video-v4l2: vidc: Add support for OMX_IndexConfigAndroidIntraRefresh" into nyc-dev
f1b15e15b61a610b6d0a78797e9a5a3f2cfdd56c	30-Mar-2016	Arun Menon <avmenon@codeaurora.org>	mm-video-v4l2: vidc: Add support for OMX_IndexConfigAndroidIntraRefresh OMX Component will support OMX_IndexConfigAndroidIntraRefresh only in loaded state. Bug: 27108817 Change-Id: I213fed57842b94c333843871d6c555e1fb8784e5 enc/inc/omx_video_base.h enc/src/omx_video_base.cpp enc/src/omx_video_encoder.cpp enc/src/video_encoder_device_v4l2.cpp
c9770704a9bb7c26205cf0e5bca05d4397aab1c3	17-Mar-2016	Praveen Chavan <pchavan@codeaurora.org>	mm-video-v4l2: vidc: fix matching of extension strings Using strncmp with the strlen of source string can result in false positives when it is a substring of the passed string. Eg: strncmp("OMX.extn.x", "OMX.extn.xyz", strlen(OMX.extn.x)) will result in a match. Use strcmp instead. Bug: 27344524 Change-Id: I68839f2bea8b97a31f43885538e9dce51aa8c1b4 dec/src/omx_vdec_msm8974.cpp enc/src/omx_video_base.cpp
f45517f0fc54776d5e9b78172af4453915991c73	07-Apr-2016	Ajay Dudani <adudani@google.com>	Merge "media: Enable support for msm8952 target" into nyc-dev
7c1a4b1738ca4b68a2d734d61245f19b7f785465	07-Apr-2016	Ajay Dudani <adudani@google.com>	media: Enable support for msm8952 target Change-Id: I8aae920d59fdd36e39ca2163a8bb11aa0f8c6947 dec.mk enc.mk
ff8f9f29b46df8de6dba9bda31eab4beb67146b8	23-Mar-2016	Praveen Chavan <pchavan@codeaurora.org>	mm-video-v4l2: vdec: deprecate unused config OMX_IndexVendorVideoExtraData This config (used to set header offline) is no longer used. Remove handling this config since it uses non-process-safe ways to pass memory pointers. Fixes: Security Vulnerability - Segfault in MediaServer (libOmxVdec problem #2) Bug: 27475409 Change-Id: I7a535a3da485cbe83cf4605a05f9faf70dcca42f dec/src/omx_vdec_msm8974.cpp
fd65fa891104fd7cedb06a8ba0849934dae63640	23-Mar-2016	Praveen Chavan <pchavan@codeaurora.org>	mm-video-v4l2: vdec: add safety checks for freeing buffers Allow only up to 64 buffers on input/output port (since the allocation bitmap is only 64-wide). Do not allow changing the actual buffer count while still holding allocation (Client can technically negotiate buffer count on a free/disabled port) Add safety checks to free only as many buffers were allocated. Fixes: Security Vulnerability - Heap Overflow and Possible Local Privilege Escalation in MediaServer (libOmxVdec problem #3) Bug: 27532282 27661749 Change-Id: I06dd680d43feaef3efdc87311e8a6703e234b523 dec/inc/omx_vdec.h dec/src/omx_vdec_msm8974.cpp
417bd6d3d293ef616a5a33741cfd6ac8c50f685f	21-Mar-2016	Praveen Chavan <pchavan@codeaurora.org>	mm-video-v4l2: venc: add safety checks for freeing buffers Allow only up to 64 buffers on input/output port (since the allocation bitmap is only 64-wide). Add safety checks to free only as many buffers were allocated. Fixes: Heap Overflow and Possible Local Privilege Escalation in MediaServer (libOmxVenc problem) Bug: 27532497 Change-Id: I31e576ef9dc542df73aa6b0ea113d72724b50fc6 enc/inc/omx_video_base.h enc/src/omx_video_base.cpp enc/src/omx_video_encoder.cpp
af0b35a2e7f4d246242c0f35fcde04858dd6670d	05-Apr-2016	Steve Pfetsch <spfetsch@google.com>	Merge "mm-video-v4l2: vdec: Add range check before native_buffer usage" into nyc-dev
00c00c349f132b5bba20e26ed54d01e9be9f87e4	31-Mar-2016	Praveen Chavan <pchavan@codeaurora.org>	mm-video-v4l2: vdec: Add range check before native_buffer usage Restore missing buffer-index calculation, without which, native-handles were not being saved properly and NULL handles got sent out to gralloc::setMetadata A bad buffer index can cause the OMX component to make an out of bound read/write access on the native_buffer array and cause a crash. Add range check to fix the issue. Bug: 25976027 Change-Id: I684a501a1a71898b5c1c80566125459a5972c959 dec/src/omx_vdec_msm8974.cpp
16ee85d1d456a4b694fd32baa5f52341e638b5d8	30-Mar-2016	Praveen Chavan <pchavan@codeaurora.org>	mm-video-v4l2: vidc: validate omx param/config data Check the sanity of config/param strcuture objects passed to get/set _ config()/parameter() methods. Bug: 27533317 Security Vulnerability in MediaServer omx_vdec::get_config() Can lead to arbitrary write Change-Id: I6c3243afe12055ab94f1a1ecf758c10e88231809 ommon/inc/vidc_debug.h dec/src/omx_vdec_msm8974.cpp enc/src/omx_video_base.cpp enc/src/omx_video_encoder.cpp
e4010605f233a213cf0d972397bb33c34c364227	07-Mar-2016	Patrick Tjin <pattjin@google.com>	Initial import of msm8996 media HAL 1) Move existing HAL to msm8974/ 2) Import msm8996 HAL from LA.HB.1.1.2_rb1.12 3) Modify Makefiles to remove kernel dependencies and fix for new directory structure 4) Modify top level makefile for new directory structure Top commits from LA.HB.1.1.2_rb1.12 included in this commit: db7937a mm-video: vidc: memset struct v4l2_format prior to S_FMT d77ab10 Merge "mm-video-v4l2: vidc: Do not queue output buffer if flush is in progress" 8895985 mm-video-v4l2: vidc: vdec: Add property to disable UBWC for OPB 675af75 Merge "mm-video: vidc: Communicate the right colorformat to the driver" dd79df2 Merge "mm-video: vidc: Reliably stop the message thread" c3e8618 Merge "mm-video-v4l2: vidc: venc: Fix B-Frame handling" 755ec08 mm-video-v4l2: vidc: Do not queue output buffer if flush is in progress 3ac8410 mm-video: vidc: Reliably stop the message thread b73dcba Merge "mm-video-v4l2: vidc: venc: Bug fixes for VZIP" 8358109 Merge "mm-video-v4l2: vdec: fix picture type decode mode return status" BUG=27420204 Signed-off-by: Patrick Tjin <pattjin@google.com> Change-Id: I71aa0190e48b332268334677894b0ad7c606296b ndroid.mk ommon/inc/extra_data_handler.h ommon/inc/vidc_color_converter.h ommon/inc/vidc_debug.h ommon/src/extra_data_handler.cpp ommon/src/vidc_color_converter.cpp dec.mk dec/inc/Map.h dec/inc/decoder_driver_test.h dec/inc/frameparser.h dec/inc/h264_utils.h dec/inc/hevc_utils.h dec/inc/message_queue.h dec/inc/mp4_utils.h dec/inc/omx_vdec.h dec/inc/omx_vdec_hevc.h dec/inc/power_module.h dec/inc/qtypes.h dec/inc/queue.h dec/inc/ts_parser.h dec/src/frameparser.cpp dec/src/h264_utils.cpp dec/src/hevc_utils.cpp dec/src/message_queue.c dec/src/mp4_utils.cpp dec/src/omx_vdec.cpp dec/src/omx_vdec_hevc.cpp dec/src/omx_vdec_hevc_swvdec.cpp dec/src/omx_vdec_msm8974.cpp dec/src/power_module.cpp dec/src/queue.c dec/src/ts_parser.cpp dec/test/decoder_driver_test.c dec/test/omx_vdec_test.cpp enc.mk enc/inc/camera_test.h enc/inc/fb_test.h enc/inc/omx_video_base.h enc/inc/omx_video_common.h enc/inc/omx_video_encoder.h enc/inc/queue.h enc/inc/venc_util.h enc/inc/video_encoder_device.h enc/inc/video_encoder_device_v4l2.h enc/inc/video_encoder_test.h enc/src/omx_video_base.cpp enc/src/omx_video_encoder.cpp enc/src/video_encoder_device.cpp enc/src/video_encoder_device_v4l2.cpp enc/test/venc_test.cpp