summaryrefslogtreecommitdiffstats
path: root/media/libmedia
diff options
context:
space:
mode:
authormspector@google.com <mspector@google.com>2016-02-08 10:56:13 -0800
committerThe Android Automerger <android-build@google.com>2016-02-26 16:55:59 -0800
commit3ba0bbe12904d0dfa2245fa3abf2b92034b15db3 (patch)
tree115f8086789b041e6464668b401d4853964c265a /media/libmedia
parent38f1da3889188fb3beeaf7fdfeb92b4444c9fb4b (diff)
downloadframeworks_av-3ba0bbe12904d0dfa2245fa3abf2b92034b15db3.zip
frameworks_av-3ba0bbe12904d0dfa2245fa3abf2b92034b15db3.tar.gz
frameworks_av-3ba0bbe12904d0dfa2245fa3abf2b92034b15db3.tar.bz2
IOMX.cpp uninitialized pointer in BnOMX::onTransact
This can lead to local code execution in media server. Fix initializes the pointer and checks the error conditions before returning Bug: 26403627 Change-Id: I7fa90682060148448dba01d6acbe3471d1ddb500
Diffstat (limited to 'media/libmedia')
-rw-r--r--media/libmedia/IOMX.cpp8
1 files changed, 5 insertions, 3 deletions
diff --git a/media/libmedia/IOMX.cpp b/media/libmedia/IOMX.cpp
index 5423c2a..8f55eb9 100644
--- a/media/libmedia/IOMX.cpp
+++ b/media/libmedia/IOMX.cpp
@@ -446,7 +446,7 @@ public:
remote()->transact(CONFIGURE_VIDEO_TUNNEL_MODE, data, &reply);
status_t err = reply.readInt32();
- if (sidebandHandle) {
+ if (err == OK && sidebandHandle) {
*sidebandHandle = (native_handle_t *)reply.readNativeHandle();
}
return err;
@@ -948,11 +948,13 @@ status_t BnOMX::onTransact(
OMX_BOOL tunneled = (OMX_BOOL)data.readInt32();
OMX_U32 audio_hw_sync = data.readInt32();
- native_handle_t *sideband_handle;
+ native_handle_t *sideband_handle = NULL;
status_t err = configureVideoTunnelMode(
node, port_index, tunneled, audio_hw_sync, &sideband_handle);
reply->writeInt32(err);
- reply->writeNativeHandle(sideband_handle);
+ if(err == OK){
+ reply->writeNativeHandle(sideband_handle);
+ }
return NO_ERROR;
}
generated by cgit v1.1 at 2024-12-22 16:36:07 +0000