When starting MMAP input stream, APM will check if the client is allowed
to capture at that moment or not and call setRecordSilenced if the
client is not allowed. However, the client is not active when starting
the MMAP input stream. In that case, the client silenced state will be
lost and the client will be able to capture even though it is not
allowed. In this CL, when setRecordSilenced is called, it will cache
the client silenced state so that it can apply when the client is
active.
Test: atest AAudioTests
Test: repo steps from the bug
Bug: 235850634
Change-Id: I49b5a0f08d1747053f868db6e88c0f677256fc3c
Merged-In: I49b5a0f08d1747053f868db6e88c0f677256fc3c
(cherry picked from commit 0960903b2fee5d1d449ffcd598e0b5d3a945d99a)
(cherry picked from commit a2f00f95e0e74efe439a591b236afb598dbf8972)
Merged-In: I49b5a0f08d1747053f868db6e88c0f677256fc3c
Fixing vulnerability in extract3GGPGlobalDescriptions() in
TextDescriptions.cpp
Bug: 233735886
Test: Run related PoC. See bug.
Change-Id: I87955b911d0a40390755321d332a11ecc9b20354
(cherry picked from commit b63d4e785ba4d896bbbd50d4f09bda13294926af)
Merged-In: I87955b911d0a40390755321d332a11ecc9b20354
Bug: 215002587
Test: POC described in bug
Change-Id: I92f8fdfe860cb360fb0ae099db3c92776ba7390f
(cherry picked from commit e89e632f9aa04e15291ee096b3152b40474a993d)
(cherry picked from commit 616bd340ecded759720199bcf5b8562e0fdf3f59)
Merged-In:I92f8fdfe860cb360fb0ae099db3c92776ba7390f
Use mutex to prevent multiple threads accessing same member of
mMappings list at the same time.
Bug: 193790350
Test: adb shell UBSAN_OPTIONS=print_stacktrace=1 /data/local/tmp/C2FuzzerMp3Dec -rss_limit_mb=2560 -timeout=90 -runs=100 /data/local/tmp/clusterfuzz-testcase-minimized-C2FuzzerMp3Dec-5713156165206016
Change-Id: I24e53629d5a6dfad22b84dd2278eb1a288c9ab35
Merged-In: I24e53629d5a6dfad22b84dd2278eb1a288c9ab35
(cherry picked from commit 9d2295f3a008f60bcfa3d2da3b43c078efec1878)
(cherry picked from commit 416da6e8da6b6a16c5c00bddd9fbc7a5f060cd58)
Merged-In:I24e53629d5a6dfad22b84dd2278eb1a288c9ab35
The following scenario can occur:
T1: CameraService::connectDevice()
CameraService::connectDeviceHelper()
CameraProviderManager::openSession() ---> holds mInterfaceLock
.
.
. on the same thread before openSession execution completes
CameraProviderManager::ProviderInfo::torchModeStatusChange() callback from HAL
.
CameraService::onTorchStatusChanged()
CameraProviderManager::getSystemCameraKind tries to lock mInterfaceLock -> deadlock.
We now pass in system camera kind to onTorchStatusChanged in
CameraProviderManager::torchModeStatusChange() instead of calling getSystemCameraKind
This CL also removes CameraProviderManager::mStatusListenerMutex, since
it wasn't protecting any data structure.
Bug: 202198748
Test: camera CTS, GCA (basic validity)
Merged-In: Id95a2aa061b6cb4db4a25b1a2aa6a390f898af87
Change-Id: Id95a2aa061b6cb4db4a25b1a2aa6a390f898af87
Signed-off-by: Jayant Chowdhary <jchowdhary@google.com>
Bug: 204445255
Test: poc from original bug
Change-Id: I569477d0771e1c03318df9ef271cf3201d472c99
(cherry picked from commit 94e58d6b2497d2e0f7e86e2c979e7f6958c84590)
Merged-In:I569477d0771e1c03318df9ef271cf3201d472c99
doRead() doesn't handle situations when received byte do not fit into
input buffer in case of vorbis audio compression. It results in OOB
write in heap memory right after the allocated input buffer. Added
code to copy kKeyValidSamples only if there was enough space.
Otherwise, print a warning log.
Bug: 194105348
Test: post-submit media cts tests
Change-Id: I2b27580deff9ad937b68703a1e7c3ff2a6dccc60
(cherry picked from commit a625b40e1c210f1e8ed57962eee9f70cef06fb1b)
(cherry picked from commit f3590a1b18d8cde4ac1cbc135c1022816096438d)
Merged-In:I2b27580deff9ad937b68703a1e7c3ff2a6dccc60
-----BEGIN PGP SIGNATURE-----
iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCYYFzHgAKCRDorT+BmrEO
eC45AKCQOk13RfJO3OCPjtvp+kSQcVDo0wCeOK0CVOK0SNmMq6RD5uSBAlieQF8=
=GtrW
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEA2skEMxbPHNb/U7LbZVRKTMRJykFAmGCgi8ACgkQbZVRKTMR
JylaZw/+ObtHJfiqvhRz9qtN0WbBQGHY4bt83Im5GhoguSECp6jpZrHTPHdUP7dx
Om8ZGvLmhsnyd8YMpCrV2Wlfgx3F7E16daM6BgMTl9mw+JjuNcWWKjamX7azdSu0
VAVlXUMHRXof8H1yljWMstLKBAjn5nsWzZss7Z2fp9xP5Z/Qv57IMRLkKvNrRKcD
xe3gvSWKVtMDPoEBvW/Dfd0qsHaNfJxq0Azcy3UbyEC+8GDLuJ/2QEb7bWFO9/00
BduhNVLTCoJWoiPAT78721VuNFtQFcWfLiw7cMzDWjpzkQcRRUeW+hGJdS+xfx0m
13BpX6iNk7o0xv3mEEk/A5cHQE6EpxCAKOA/Ey4AamsiYmtDOqIs6q6nCQzBOYbX
oE1rntyp16X0Pmlbi+qEU1dgDZz3ExRhXTx4nP/aoxpI/V6hYfUHs+Ibec6Nl52U
zSyhLV1vfFf6YYRgZM/soNghZxh9SOAd9+/FKoBzO1h0DjOraQXlMmfTV8quV2W1
EGx2UgsymksmCG99yqc+DQqxuLQDeYi5gNtp682F6DCa2SbVbnzAECbRcS8wms0h
9zIal2Fhns0dy/3+tmG7PFSHUDGmCmMDjxiRlnviM4S2adYi/7dfzjudN5k/lWAF
rlTRp2D/90Ir9oIAvZLiR9oZKSOFPnysgI71mxtU9Owjs/JWfuw=
=d+Na
-----END PGP SIGNATURE-----
Merge tag 'android-security-11.0.0_r49' into staging/lineage-18.1_merge-android-security-11.0.0_r49
Android security 11.0.0 release 49
* tag 'android-security-11.0.0_r49':
aaudio: unlock when joining the timestamp thread
aaudio: prevent deadlock when stop() calls disconnect()
[RESTRICT AUTOMERGE]Fix CryptoPlugin use after free vulnerability.
Fix potential decrypt destPtr overflow.
Fix UAF in clearkey service's MemoryFileSystem
[RESTRICT AUTOMERGE] Fix possible uaf of play policy state
Prevent read of uninitialized memory
Improve handling MediaCodec linkToDeath() resource manager
Fix double free of play policy in a race condition.
Fix potential decrypt src pointer overflow.
MediaCodec: propagate usage from original surface to release surface
Fix potential overflow in WAV extractor
Fix memory overflow in ESQueue
Revert "CCodecBufferChannel: Process output format when registering buffer"
Expose a property that allows restarting the audio HAL
MPEG4Extractor:don't set delay and padding from 2nd edit list entry
allow mremap to use MEMRMREMAP_MAYMOVE flag
Revert "stagefright: MediaCodec::releaseAsync()"
Revert "stagefright: MediaCodec::releaseAsync()"
audio policy: fix a2dp output detection
Revert "adapt ld.config.txt for vndk apex"
Change-Id: I93157b1a962b0a8f1a0a1b2432e82f6ad4043f78
outputFrameSize, calOutSize and outSize are calculated at 8bit level
However, the library expects outputFrameSize in int16 samples.
One of the initialization of outputFrameSize was in bytes.
This is now corrected.
Test: clusterfuzz generated poc in bug
Test: atest android.mediav2.cts.CodecDecoderTest
Test: atest VtsHalMediaC2V1_0TargetAudioDecTest
Bug: 193363621
Change-Id: Iac62c4e9d77e7f95f2c692f5ea236e7a5c536dcb
(cherry picked from commit dc32721e28e79df4dd2f5bb896bcf586ebeda5e9)
AudioFlinger is not able to determine the correct
pid/tid for WifiDisplay and thus we do not pass checks
for CAPTURE_AUDIO_OUTPUT and RECORD_AUDIO permissions.
To fix audio for WifiDisplay, it should be safe to
always allow a trusted calling uid (AID_MEDIA which
has the same perms as AID_AUDIOSERVER).
Change-Id: Ifa46d8e77a43027645cad02a04263b58e134c3ad
In commit 3e32878 the stagefright code was restructured to fix
the logic for native handle source, but the change in the
function SurfaceMediaSource::signalBufferReturned was probably
missed.
Try to compare the media buffer handle also to the current native
buffer handle in this function when searching for correspondance.
Change-Id: I352293e525f75dde500ac8e71ee49209710030c3
Signed-off-by: DennySPb <dennyspb@gmail.com>
In function passMetadataBuffer_l, the bufferHandle(ANativeWindowBuffer) is
saved to data (VideoNativeMetadata) but in function getMediaBufferHandle it
gets the bufferHandle from (MediaBuffer*)buffer->data() + 4, which is a wrong
position. To solve this problem, we should get handle from ANativeWindowBuffer,
not from buffer->data() + 4. (If get bufferHandle from buffer->data() + 4, the
function signalBufferReturned will print "returned buffer was not found in the
current list" error.
Test: Running wifi display, we can see the handle could be found in buffer list.
Change-Id: I71ecf9e2bca1db67d8d6e862ac16b07e939bf521
Signed-off-by: zhangbo_a <zhangbo_a@pinecone.net>
Signed-off-by: DennySPb <dennyspb@gmail.com>
* This fixes buffer flow SurfaceMediaSource -> MediaPuller -> Converted
freezing at mMediaBuffersAvailableCondition.wait(), due to this
condition never being broadcast. This was supposed to happen from within
SurfaceMediaSource::signalBufferReturned(), but this was never called.
The Converter class does feedEncoderInputBuffers(), and after the
encoder does its job, it should return the video buffer to the
SurfaceMediaSource in ACodec::BaseState::onOMXEmptyBufferDone().
* There (in ACodec class), the code for doing that used to be:
// We're in "store-metadata-in-buffers" mode, the underlying
// OMX component had access to data that's implicitly refcounted
// by this "MediaBuffer" object. Now that the OMX component has
// told us that it's done with the input buffer, we can decrement
// the mediaBuffer's reference count.
info->mData->setMediaBufferBase(NULL);
This means that if there was already a MediaBufferBase assigned to
this mediaBuffer, then it got released when explicitly setting it to NULL:
void MediaCodecBuffer::setMediaBufferBase(MediaBufferBase *mediaBuffer) {
if (mMediaBufferBase != NULL) {
mMediaBufferBase->release();
}
mMediaBufferBase = mediaBuffer;
}
Then in MediaBuffer::release(), which is a subclass of
MediaBufferBase, there is code that does
mObserver->signalBufferReturned(this);
This should have went on to call SurfaceMediaSource::signalBufferReturned(),
as it was setting itself as observer on the buffers sent to the video
encoder. Stay tuned to find out why the call path was broken.
* Now, after Mr. Dongwon Kang's commit
"f03606d9 Move MediaBufferXXX from foundation to libmediaextractor",
the setMediaBufferBase and getMediaBufferBase functions no longer
exist, and reference counting on MediaBuffer's is different.
The direct replacement of setMediaBufferBase(mbuf) is now
meta()->setObject("mediaBufferHolder", new MediaBufferHolder(mbuf)).
The reference counting seems to now be managed through the constructor
and destructor of this new MediaBufferHolder class (the code for
release() is now in the holder's destructor). Now the issue seems to
be that the lifetime of these new MediaBufferHolder's is not quite
what it should be, because their destructor never gets called, hence
the buffers never get returned.
* This might be an API problem that Mr. Dongwon Kang himself acknowledged,
since in the aforementioned patch, he forcefully called mbuf->release()
right below a comment where it clearly said that "video encoder will
release MediaBuffer when done with underlying data":
f03606d903%5E%21/#F13
* Without addressing the root cause of the issue, in this commit we are
simply mirroring a workaround for what appears to be broken media
buffer reference counting.
Change-Id: Ie540e6dcf5536f93091ced2af2e121b71f70bb83
Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
Signed-off-by: DennySPb <dennyspb@gmail.com>
This imports the old foundation code in the standard platform stagefright.
The foundation variant is used in VNDK, we can't change the ABI there.
This reverts commit 5ec3d6ac0c.
Change-Id: Iebcf5d89a768fdb830bea90fbf2c2427a4c3d139
Signed-off-by: DennySPb <dennyspb@gmail.com>
Signed-off-by: Luca Stefani <luca.stefani.ge1@gmail.com>
This adds back the SurfaceMediaSource class, needed for WFD.
This reverts commit e885915204.
Change-Id: I3f67d01f18441e49205e2e263d20f0fb6fc91fe6
Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
Signed-off-by: DennySPb <dennyspb@gmail.com>
This will prevent a deadlock in case the timestamp
thread tries to acquire the same lock.
Bug: 182852602
Bug: 153358911
Test: plug and unplug headphones while playing
Change-Id: I625d191906c7e280f3a223f476716ef17b9098ea
Merged-In: I625d191906c7e280f3a223f476716ef17b9098ea
(cherry picked from commit 5f6fda778bf35be4cd67363ca0fe40cf710364c3)
Move all calls to send the timestamp into the one timestamp thread.
There was a clear code path that could lead to a deadlock.
If the call to get the timestamp from the HAL returned
an unexpected error code then it would call disconnect().
If that happened below the call to stop() then the
deadlock would occur.
The sequence of calls was AAudioServiceStreamBase::stop()
which locked mLock,
then called AAudioServiceStreamBase::stop_l(),
which called AAudioServiceStreamBase:sendCurrentTimeStamp(),
which called AAudioServiceStreamMMAP::getFreeRunningPosition(),
which called disconnect(),
which locked mLock AGAIN.
It is not clear what would trigger the error return
from the HAL but a routing change may be involved.
The bug was discovered during stress tests and we do not
have a clear repro case.
Bug: 182852602
Bug: 153358911
Test: atest CtsNativeMediaAAudioTestCases
Change-Id: I575f75ece9b459e7412bca293d7338babe76b3a7
Merged-In: I575f75ece9b459e7412bca293d7338babe76b3a7
(cherry picked from commit 45da1b7e3231bf3475cb9ca1a2243a27355c0466)
(cherry picked from commit 9dd928e100d38c42f68c04c01f09fa8c8cb606d3)
This will prevent a deadlock in case the timestamp
thread tries to acquire the same lock.
Bug: 182852602
Bug: 153358911
Test: plug and unplug headphones while playing
Change-Id: I625d191906c7e280f3a223f476716ef17b9098ea
Merged-In: I625d191906c7e280f3a223f476716ef17b9098ea
(cherry picked from commit 5f6fda778bf35be4cd67363ca0fe40cf710364c3)