Evolution-x/hardware_interfaces
1
0
Fork 0
mirror of https://github.com/Evolution-X/hardware_interfaces synced 2026-02-01 11:36:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

cas: do not use hidl_memory if size is > SIZE_MAX

Browse Source 
Bug: 79376389
Test:
POC in bug; CTS MediaCasTest.

Change-Id: Ia3ecf9664ab69ce293e10b73bc20c37a9992db9f
This commit is contained in:
Chong Zhang
2018-05-10 13:53:12 -07:00
parent e5fe876bc8
commit e1ce74509e
1 changed files with 18 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
cas/1.0/default/DescramblerImpl.cpp
View File

@@ -96,13 +96,13 @@ Return<void> DescramblerImpl::descramble(
descramble_cb _hidl_cb) {
ALOGV("%s", __FUNCTION__);
// Get a local copy of the shared_ptr for the plugin. Note that before
// calling the HIDL callback, this shared_ptr must be manually reset,
// since the client side could proceed as soon as the callback is called
// without waiting for this method to go out of scope.
std::shared_ptr<DescramblerPlugin> holder = std::atomic_load(&mPluginHolder);
if (holder.get() == nullptr) {
_hidl_cb(toStatus(INVALID_OPERATION), 0, NULL);
// hidl_memory's size is stored in uint64_t, but mapMemory's mmap will map
// size in size_t. If size is over SIZE_MAX, mapMemory mapMemory could succeed
// but the mapped memory's actual size will be smaller than the reported size.
if (srcBuffer.heapBase.size() > SIZE_MAX) {
ALOGE("Invalid hidl_memory size: %llu", srcBuffer.heapBase.size());
android_errorWriteLog(0x534e4554, "79376389");
_hidl_cb(toStatus(BAD_VALUE), 0, NULL);
return Void();
}
@@ -112,7 +112,6 @@ Return<void> DescramblerImpl::descramble(
// mapped ashmem, since the offset and size is controlled by client.
if (srcMem == NULL) {
ALOGE("Failed to map src buffer.");
holder.reset();
_hidl_cb(toStatus(BAD_VALUE), 0, NULL);
return Void();
}
@@ -121,7 +120,6 @@ Return<void> DescramblerImpl::descramble(
ALOGE("Invalid src buffer range: offset %llu, size %llu, srcMem size %llu",
srcBuffer.offset, srcBuffer.size, (uint64_t)srcMem->getSize());
android_errorWriteLog(0x534e4554, "67962232");
holder.reset();
_hidl_cb(toStatus(BAD_VALUE), 0, NULL);
return Void();
}
@@ -139,7 +137,6 @@ Return<void> DescramblerImpl::descramble(
"srcOffset %llu, totalBytesInSubSamples %llu, srcBuffer size %llu",
srcOffset, totalBytesInSubSamples, srcBuffer.size);
android_errorWriteLog(0x534e4554, "67962232");
holder.reset();
_hidl_cb(toStatus(BAD_VALUE), 0, NULL);
return Void();
}
@@ -158,7 +155,6 @@ Return<void> DescramblerImpl::descramble(
"dstOffset %llu, totalBytesInSubSamples %llu, srcBuffer size %llu",
dstOffset, totalBytesInSubSamples, srcBuffer.size);
android_errorWriteLog(0x534e4554, "67962232");
holder.reset();
_hidl_cb(toStatus(BAD_VALUE), 0, NULL);
return Void();
}
@@ -167,6 +163,17 @@ Return<void> DescramblerImpl::descramble(
dstBuffer.secureMemory.getNativeHandle());
dstPtr = static_cast<void *>(handle);
}
// Get a local copy of the shared_ptr for the plugin. Note that before
// calling the HIDL callback, this shared_ptr must be manually reset,
// since the client side could proceed as soon as the callback is called
// without waiting for this method to go out of scope.
std::shared_ptr<DescramblerPlugin> holder = std::atomic_load(&mPluginHolder);
if (holder.get() == nullptr) {
_hidl_cb(toStatus(INVALID_OPERATION), 0, NULL);
return Void();
}
// Casting hidl SubSample to DescramblerPlugin::SubSample, but need
// to ensure structs are actually idential