diff options
| author | Yichi Chen <yichichen@google.com> | 2021-06-11 15:09:54 +0800 |
|---|---|---|
| committer | Yichi Chen <yichichen@google.com> | 2021-06-15 10:10:50 +0800 |
| commit | d348f15eac59e1c077480c1a9881ebe37360567c (patch) | |
| tree | 49c3137f9548ea3eb42defece1accee6309cb479 /libvendorgraphicbuffer | |
| parent | f66c6d9f09ce44a46c49e09053240f9e1910b61a (diff) | |
vendorgraphicbuffer: add validation on metadata before operating
The process crashed when it operated metadata on an unimported buffer.
To enhance the robustness of the system, the patch creates the check on
mali reference to avoid crashing.
Bug: 186739698
Test: android.mediav2.cts.EncoderColorAspectsTes
Change-Id: Ia9c074dcee0d0f3a8ef18170ea6bce153fa734a5
Diffstat (limited to 'libvendorgraphicbuffer')
| -rw-r--r-- | libvendorgraphicbuffer/Android.bp | 1 | ||||
| -rw-r--r-- | libvendorgraphicbuffer/gralloc4/vendor_graphicbuffer_meta.cpp | 26 |
2 files changed, 19 insertions, 8 deletions
diff --git a/libvendorgraphicbuffer/Android.bp b/libvendorgraphicbuffer/Android.bp index b1e2a3f..bf8904d 100644 --- a/libvendorgraphicbuffer/Android.bp +++ b/libvendorgraphicbuffer/Android.bp @@ -86,6 +86,7 @@ cc_library_shared { "android.hardware.graphics.mapper@2.1", "android.hardware.graphics.mapper@3.0", "android.hardware.graphics.mapper@4.0", + "android.hardware.graphics.mapper@4.0-impl", "libgralloctypes", "libhidlbase", ], diff --git a/libvendorgraphicbuffer/gralloc4/vendor_graphicbuffer_meta.cpp b/libvendorgraphicbuffer/gralloc4/vendor_graphicbuffer_meta.cpp index 929c6b9..b45cc86 100644 --- a/libvendorgraphicbuffer/gralloc4/vendor_graphicbuffer_meta.cpp +++ b/libvendorgraphicbuffer/gralloc4/vendor_graphicbuffer_meta.cpp @@ -32,6 +32,15 @@ using aidl::android::hardware::graphics::common::Dataspace; #define UNUSED(x) ((void)x) #define SZ_4k 0x1000 +extern int mali_gralloc_reference_validate(buffer_handle_t handle); + +const private_handle_t * convertNativeHandleToPrivateHandle(buffer_handle_t handle) { + if (mali_gralloc_reference_validate(handle) < 0) + return nullptr; + + return static_cast<const private_handle_t *>(handle); +} + int VendorGraphicBufferMeta::get_video_metadata_fd(buffer_handle_t hnd) { const private_handle_t *gralloc_hnd = static_cast<const private_handle_t *>(hnd); @@ -54,6 +63,9 @@ int VendorGraphicBufferMeta::get_dataspace(buffer_handle_t hnd) if (!gralloc_hnd) return -1; + if (mali_gralloc_reference_validate(hnd) < 0) + ALOGW("VendorGraphicBufferMeta: get_dataspace from unimported buffer %p", hnd); + int attr_fd = gralloc_hnd->get_share_attr_fd(); if(attr_fd < 0) @@ -71,9 +83,9 @@ int VendorGraphicBufferMeta::get_dataspace(buffer_handle_t hnd) int VendorGraphicBufferMeta::set_dataspace(buffer_handle_t hnd, android_dataspace_t dataspace) { - const private_handle_t *gralloc_hnd = static_cast<const private_handle_t *>(hnd); + const auto *gralloc_hnd = convertNativeHandleToPrivateHandle(hnd); - if (!gralloc_hnd) + if (gralloc_hnd == nullptr) return -1; arm::mapper::common::set_dataspace(gralloc_hnd, static_cast<Dataspace>(dataspace)); @@ -180,10 +192,9 @@ uint64_t VendorGraphicBufferMeta::get_usage(buffer_handle_t hnd) void* VendorGraphicBufferMeta::get_video_metadata(buffer_handle_t hnd) { - private_handle_t *gralloc_hnd = - static_cast<private_handle_t *>(const_cast<native_handle_t *>(hnd)); + const auto *gralloc_hnd = convertNativeHandleToPrivateHandle(hnd); - if (!gralloc_hnd) + if (gralloc_hnd == nullptr) return nullptr; return gralloc_hnd->attr_base; @@ -191,10 +202,9 @@ void* VendorGraphicBufferMeta::get_video_metadata(buffer_handle_t hnd) void* VendorGraphicBufferMeta::get_video_metadata_roiinfo(buffer_handle_t hnd) { - private_handle_t *gralloc_hnd = - static_cast<private_handle_t *>(const_cast<native_handle_t *>(hnd)); + const auto *gralloc_hnd = convertNativeHandleToPrivateHandle(hnd); - if (!gralloc_hnd) + if (gralloc_hnd == nullptr) return nullptr; if (gralloc_hnd->get_usage() & VendorGraphicBufferUsage::ROIINFO) |