From: gan.zhang <gan.zhang@amlogic.com>
Date: Fri, 2 Oct 2020 07:05:20 +0000 (+0800)
Subject: h265: aux data exceeding size results in crash. [1/1]
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=128beda3d8f20f5fb672c3d4dbdc8a41a154e322;p=GitHub%2FLineageOS%2FG12%2Fandroid_hardware_amlogic_kernel-modules_media.git

h265: aux data exceeding size results in crash. [1/1]

PD#SWPL-34380

Problem:
When parsed to eos, the aux_size of the last frame
of data is set in set_aux_data to an incorrect size.

Solution:
1.When parsed to eos, if decoding_pic is NULL,
dolby_get_meta is not called.
2.Add a size limit in the dump_aux_data function
to prevent access overbounds from causing crashes.

https://scgit.amlogic.com/#/c/119228/
The above submission only ensures no crash by limiting the aux_data size

Verify:
AH212

Change-Id: I99c369f91e3f9357d692e0abe8bf13562f172cf4
Signed-off-by: gan.zhang <gan.zhang@amlogic.com>
---

diff --git a/drivers/frame_provider/decoder/h265/vh265.c b/drivers/frame_provider/decoder/h265/vh265.c
index d79390c..22b30c9 100644
--- a/drivers/frame_provider/decoder/h265/vh265.c
+++ b/drivers/frame_provider/decoder/h265/vh265.c
@@ -9832,6 +9832,11 @@ static void dump_aux_buf(struct hevc_state_s *hevc)
 		hevc_print(hevc, 0,
 			"prefix aux: (size %d)\n",
 			aux_size);
+		if (aux_size > hevc->prefix_aux_size) {
+			hevc_print(hevc, 0,
+				"%s:aux_size(%d) is over size\n", __func__, aux_size);
+			return ;
+		}
 		for (i = 0; i <
 		(aux_size >> 1); i++) {
 			hevc_print_cont(hevc, 0,
@@ -9853,6 +9858,11 @@ static void dump_aux_buf(struct hevc_state_s *hevc)
 		hevc_print(hevc, 0,
 			"suffix aux: (size %d)\n",
 			aux_size);
+		if (aux_size > hevc->suffix_aux_size) {
+			hevc_print(hevc, 0,
+				"%s:aux_size(%d) is over size\n", __func__, aux_size);
+			return ;
+		}
 		for (i = 0; i <
 		(aux_size >> 1); i++) {
 			hevc_print_cont(hevc, 0,
@@ -12729,7 +12739,8 @@ static void vh265_work_implement(struct hevc_state_s *hevc,
 		hevc->eos = 1;
 #ifdef CONFIG_AMLOGIC_MEDIA_ENHANCEMENT_DOLBYVISION
 		if ((vdec_dual(vdec)) && aux_data_is_avaible(hevc))
-			dolby_get_meta(hevc);
+			if (hevc->decoding_pic)
+				dolby_get_meta(hevc);
 #endif
 		check_pic_decoded_error(hevc,
 			hevc->pic_decoded_lcu_idx);