projects / GitHub / LineageOS / G12 / android_hardware_amlogic_kernel-modules_media.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2543ae1)
h265: aux data exceeding size results in crash. [1/1]
authorgan.zhang <gan.zhang@amlogic.com>
Fri, 2 Oct 2020 07:05:20 +0000 (15:05 +0800)
committerGan Zhang <gan.zhang@amlogic.com>
Sat, 10 Oct 2020 05:54:19 +0000 (22:54 -0700)
PD#SWPL-34380

Problem:
When parsed to eos, the aux_size of the last frame
of data is set in set_aux_data to an incorrect size.

Solution:
1.When parsed to eos, if decoding_pic is NULL,
dolby_get_meta is not called.
2.Add a size limit in the dump_aux_data function
to prevent access overbounds from causing crashes.

https://scgit.amlogic.com/#/c/119228/
The above submission only ensures no crash by limiting the aux_data size

Verify:
AH212

Change-Id: I99c369f91e3f9357d692e0abe8bf13562f172cf4
Signed-off-by: gan.zhang <gan.zhang@amlogic.com>
drivers/frame_provider/decoder/h265/vh265.c patch | blob | blame | history

diff --git a/drivers/frame_provider/decoder/h265/vh265.c b/drivers/frame_provider/decoder/h265/vh265.c
index d79390c69ac4341bd2f946d23bc0296965f7feb7..22b30c9a1e7980450f12c25bdf7766461295a41d 100644 (file)
--- a/drivers/frame_provider/decoder/h265/vh265.c
+++ b/drivers/frame_provider/decoder/h265/vh265.c
@@ -9832,6 +9832,11 @@ static void dump_aux_buf(struct hevc_state_s *hevc)
                hevc_print(hevc, 0,
                        "prefix aux: (size %d)\n",
                        aux_size);
+               if (aux_size > hevc->prefix_aux_size) {
+                       hevc_print(hevc, 0,
+                               "%s:aux_size(%d) is over size\n", __func__, aux_size);
+                       return ;
+               }
                for (i = 0; i <
                (aux_size >> 1); i++) {
                        hevc_print_cont(hevc, 0,
@@ -9853,6 +9858,11 @@ static void dump_aux_buf(struct hevc_state_s *hevc)
                hevc_print(hevc, 0,
                        "suffix aux: (size %d)\n",
                        aux_size);
+               if (aux_size > hevc->suffix_aux_size) {
+                       hevc_print(hevc, 0,
+                               "%s:aux_size(%d) is over size\n", __func__, aux_size);
+                       return ;
+               }
                for (i = 0; i <
                (aux_size >> 1); i++) {
                        hevc_print_cont(hevc, 0,
@@ -12729,7 +12739,8 @@ static void vh265_work_implement(struct hevc_state_s *hevc,
                hevc->eos = 1;
 #ifdef CONFIG_AMLOGIC_MEDIA_ENHANCEMENT_DOLBYVISION
                if ((vdec_dual(vdec)) && aux_data_is_avaible(hevc))
-                       dolby_get_meta(hevc);
+                       if (hevc->decoding_pic)
+                               dolby_get_meta(hevc);
 #endif
                check_pic_decoded_error(hevc,
                        hevc->pic_decoded_lcu_idx);