From bc8a45f506a8be33250c523d71fab637a5fdaf81 Mon Sep 17 00:00:00 2001 From: Lajos Molnar Date: Tue, 2 Aug 2016 07:07:05 -0700 Subject: IOMX: work against metadata buffer spoofing - Prohibit direct set/getParam/Settings for extensions meant for OMXNodeInstance alone. This disallows enabling metadata mode without the knowledge of OMXNodeInstance. - Do not share metadata mode buffers cross process. - Disallow setting up metadata mode/tunneling/input surface after first sendCommand. - Disallow store-meta for input cross process. - Disallow emptyBuffer for surface input (via IOMX). - Fix checking for input surface. Bug: 29422020 Change-Id: I801c77b80e703903f62e42d76fd2e76a34e4bc8e (cherry picked from commit f8a4cb410115045278f534e54b41ac78d6bf6c07) --- include/media/IOMX.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'include') diff --git a/include/media/IOMX.h b/include/media/IOMX.h index 27ad694..83a177a 100644 --- a/include/media/IOMX.h +++ b/include/media/IOMX.h @@ -107,7 +107,7 @@ public: // Use |params| as an OMX buffer, but limit the size of the OMX buffer to |allottedSize|. virtual status_t useBuffer( node_id node, OMX_U32 port_index, const sp ¶ms, - buffer_id *buffer, OMX_U32 allottedSize) = 0; + buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess = OMX_FALSE) = 0; virtual status_t useGraphicBuffer( node_id node, OMX_U32 port_index, @@ -149,7 +149,7 @@ public: // may be larger. virtual status_t allocateBufferWithBackup( node_id node, OMX_U32 port_index, const sp ¶ms, - buffer_id *buffer, OMX_U32 allottedSize) = 0; + buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess = OMX_FALSE) = 0; virtual status_t freeBuffer( node_id node, OMX_U32 port_index, buffer_id buffer) = 0; -- cgit v1.1 From d8cf9aa813be5363fb5425b4f818a267edd5e750 Mon Sep 17 00:00:00 2001 From: Eric Laurent Date: Wed, 7 Sep 2016 16:58:39 -0700 Subject: SoundTrigger: get service by value. Get strong pointer to service interface by value and not reference to prevent race conditions where the service pointer can be cleared by another thread while in use. Bug: 30907212 Change-Id: I6f02ec3fd1e6392b842b334e1cc4f9aa23916009 (cherry picked from commit 3b01b3019b1c62132792a1a94e2dc1f7cfc84f2e) --- include/soundtrigger/SoundTrigger.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include') diff --git a/include/soundtrigger/SoundTrigger.h b/include/soundtrigger/SoundTrigger.h index bf5e1de..9a05cac 100644 --- a/include/soundtrigger/SoundTrigger.h +++ b/include/soundtrigger/SoundTrigger.h @@ -68,7 +68,7 @@ public: private: SoundTrigger(sound_trigger_module_handle_t module, const sp&); - static const sp& getSoundTriggerHwService(); + static const sp getSoundTriggerHwService(); Mutex mLock; sp mISoundTrigger; -- cgit v1.1 From 128035617a8cafd4ea717ceb8d6fe56564b07262 Mon Sep 17 00:00:00 2001 From: Eric Laurent Date: Wed, 7 Sep 2016 16:58:39 -0700 Subject: Radio: get service by value. Get strong pointer to service interface by value and not reference to prevent race conditions where the service pointer can be cleared by another thread while in use. Bug: 30907212 Change-Id: Iae838b3b672562c1d0cd63968399a6bfdda7f5ab (cherry picked from commit 28a0e9ec74e5192aacffb279c80619ef284062b0) --- include/radio/Radio.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include') diff --git a/include/radio/Radio.h b/include/radio/Radio.h index 302bf16..a4dfdd1 100644 --- a/include/radio/Radio.h +++ b/include/radio/Radio.h @@ -75,7 +75,7 @@ public: private: Radio(radio_handle_t handle, const sp&); - static const sp& getRadioService(); + static const sp getRadioService(); Mutex mLock; sp mIRadio; -- cgit v1.1