commit f8a4cb410115045278f534e54b41ac78d6bf6c07
author Lajos Molnar <lajos@google.com> Tue Aug 02 07:07:05 2016 -0700
committer Lajos Molnar <lajos@google.com> Wed Aug 03 14:39:52 2016 +0000
tree 277909e121cf816d871fc1203b58f87413f83be0
parent 7ab70a7ba9ff522d45763af48d15aac805738d9c

IOMX: work against metadata buffer spoofing

- Prohibit direct set/getParam/Settings for extensions meant for
  OMXNodeInstance alone. This disallows enabling metadata mode
  without the knowledge of OMXNodeInstance.
- Do not share metadata mode buffers cross process.
- Disallow setting up metadata mode/tunneling/input surface
  after first sendCommand.
- Disallow store-meta for input cross process.
- Disallow emptyBuffer for surface input (via IOMX).
- Fix checking for input surface.

Bug: 29422020
Change-Id: I801c77b80e703903f62e42d76fd2e76a34e4bc8e

media/libmedia/IOMX.cpp

diff --git a/media/libmedia/IOMX.cpp b/media/libmedia/IOMX.cpp
index b082fe4..c28eac8 100644
--- a/media/libmedia/IOMX.cpp
+++ b/media/libmedia/IOMX.cpp
@@ -248,7 +248,7 @@
 
     virtual status_t useBuffer(
             node_id node, OMX_U32 port_index, const sp<IMemory> &params,
-            buffer_id *buffer, OMX_U32 allottedSize) {
+            buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL /* crossProcess */) {
         Parcel data, reply;
         data.writeInterfaceToken(IOMX::getInterfaceDescriptor());
         data.writeInt32((int32_t)node);
@@ -481,7 +481,7 @@
 
     virtual status_t allocateBufferWithBackup(
             node_id node, OMX_U32 port_index, const sp<IMemory> &params,
-            buffer_id *buffer, OMX_U32 allottedSize) {
+            buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL /* crossProcess */) {
         Parcel data, reply;
         data.writeInterfaceToken(IOMX::getInterfaceDescriptor());
         data.writeInt32((int32_t)node);
@@ -834,7 +834,8 @@
             OMX_U32 allottedSize = data.readInt32();
 
             buffer_id buffer;
-            status_t err = useBuffer(node, port_index, params, &buffer, allottedSize);
+            status_t err = useBuffer(
+                    node, port_index, params, &buffer, allottedSize, OMX_TRUE /* crossProcess */);
             reply->writeInt32(err);
 
             if (err == OK) {
@@ -969,7 +970,10 @@
             OMX_BOOL enable = (OMX_BOOL)data.readInt32();
 
             MetadataBufferType type = kMetadataBufferTypeInvalid;
-            status_t err = storeMetaDataInBuffers(node, port_index, enable, &type);
+            status_t err =
+                // only control output metadata via Binder
+                port_index != 1 /* kOutputPortIndex */ ? BAD_VALUE :
+                storeMetaDataInBuffers(node, port_index, enable, &type);
 
             reply->writeInt32(type);
             reply->writeInt32(err);
@@ -1054,7 +1058,7 @@
 
             buffer_id buffer;
             status_t err = allocateBufferWithBackup(
-                    node, port_index, params, &buffer, allottedSize);
+                    node, port_index, params, &buffer, allottedSize, OMX_TRUE /* crossProcess */);
 
             reply->writeInt32(err);