Google Git
Sign in
android / platform / external / v4l2_codec2 / e5b5b5f04fc4bc08ecd2f25d22aaceaaf89465ba^! / .
commite5b5b5f04fc4bc08ecd2f25d22aaceaaf89465ba[log] [tgz]
authorMattijs Korpershoek <[email protected]>Tue Apr 09 15:09:05 2024 +0200
committerMattijs Korpershoek <[email protected]>Mon Sep 30 14:08:35 2024 +0200
treeb077bb638316e5d643778b4b6b5893676ecf4ea3
parent5c00f2d123b5d4498f331d654ad6f9b872406156 [diff]
v4l2_codec2: encode: fix crash when input.buffers[0] is nullptr

The client can crash the V4L2EncodeComponent by passing an input with
one buffer where buffer==nullptr:

F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
F DEBUG   : Build fingerprint: 'TI/am62p/am62p:14/UQ1A.240105.002/eng.mkorpe.20240325.115051:userdebug/test-keys'
F DEBUG   : Revision: '0'
F DEBUG   : ABI: 'arm64'
F DEBUG   : Timestamp: 2024-04-09 07:53:02.494446645+0000
F DEBUG   : Process uptime: 8s
F DEBUG   : Cmdline: /vendor/bin/hw/[email protected]
F DEBUG   : pid: 4949, tid: 4955, name: V4L2EncodeCompo  >>> /vendor/bin/hw/[email protected] <<<
F DEBUG   : uid: 1013
F DEBUG   : tagged_addr_ctrl: 0000000000000001 (PR_TAGGED_ADDR_ENABLE)
F DEBUG   : signal 0 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr --------
F DEBUG   : Cause: null pointer dereference
F DEBUG   :     x0  0000000000000000  x1  b400007acbed72e8  x2  b400007a3beda7f0  x3  0000000000000010
F DEBUG   :     x4  020000797bedb2c0  x5  b400007a2bed1878  x6  0000000000000001  x7  7f7f7f7f7f7fff7f
F DEBUG   :     x8  00000078e68d0710  x9  b40000795bed9990  x10 b40000795bed99a0  x11 0000000000000003
F DEBUG   :     x12 0000000000000000  x13 0000000000000004  x14 0000000000000276  x15 0000000000000000
F DEBUG   :     x16 0000007b7c1eac60  x17 0000007b80a6c770  x18 00000078e5aa2000  x19 b400007a0bede5a0
F DEBUG   :     x20 00000078e68d07e0  x21 0000000000000000  x22 0000000000000000  x23 b400007a9bed6210
F DEBUG   :     x24 0000000000000000  x25 00000078e68d1000  x26 0000000000000002  x27 0000007b8a387b88
F DEBUG   :     x28 00000000000fc000  x29 00000078e68d0680
F DEBUG   :     lr  0000007b7c1cbb20  sp  00000078e68d0680  pc  0000007b80a6c778  pst 0000000080000000
F DEBUG   : 12 total frames
F DEBUG   : backtrace:
F DEBUG   :       #00 pc 0000000000069778  /vendor/lib64/libcodec2_vndk.so (C2Buffer::data() const+8) (BuildId: 1d42f8105aac0515945328329706c2e1)
F DEBUG   :       #01 pc 0000000000042b1c  /vendor/lib64/libv4l2_codec2_components.so (android::V4L2EncodeComponent::queueTask(std::__1::unique_ptr<C2Work, std::__1::default_delete<C2Work> >)+348) (BuildId: 2f6128320f05c503e8ee6dc9e05df980)
F DEBUG   :       #02 pc 00000000000470a8  /vendor/lib64/libv4l2_codec2_components.so (base::internal::Invoker<base::internal::BindState<void (android::V4L2EncodeComponent::*)(std::__1::unique_ptr<C2Work, std::__1::default_delete<C2Work> >), base::WeakPtr<android::V4L2EncodeComponent>, std::__1::unique_ptr<C2Work, std::__1::default_delete<C2Work> > >, void ()>::RunOnce(base::internal::BindStateBase*)+120) (BuildId: 2f6128320f05c503e8ee6dc9e05df980)
F DEBUG   :       #03 pc 00000000000acca0  /vendor/lib64/libchrome.so (base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)+192) (BuildId: 87e214635dddac0ae594ee401576361a)
F DEBUG   :       #04 pc 00000000000cc9ac  /vendor/lib64/libchrome.so (base::MessageLoop::RunTask(base::PendingTask*)+348) (BuildId: 87e214635dddac0ae594ee401576361a)
F DEBUG   :       #05 pc 00000000000ccd84  /vendor/lib64/libchrome.so (base::MessageLoop::DoWork()+468) (BuildId: 87e214635dddac0ae594ee401576361a)
F DEBUG   :       #06 pc 00000000000ce080  /vendor/lib64/libchrome.so (base::MessagePumpDefault::Run(base::MessagePump::Delegate*)+96) (BuildId: 87e214635dddac0ae594ee401576361a)
F DEBUG   :       #07 pc 00000000000f1fec  /vendor/lib64/libchrome.so (base::RunLoop::Run()+60) (BuildId: 87e214635dddac0ae594ee401576361a)
F DEBUG   :       #08 pc 0000000000111e88  /vendor/lib64/libchrome.so (base::Thread::ThreadMain()+392) (BuildId: 87e214635dddac0ae594ee401576361a)
F DEBUG   :       #09 pc 000000000010f040  /vendor/lib64/libchrome.so (base::(anonymous namespace)::ThreadFunc(void*)+128) (BuildId: 87e214635dddac0ae594ee401576361a)
F DEBUG   :       #10 pc 00000000000d6fb0  /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+208) (BuildId: 218db69eb66aeb253a34d956906a8bba)
F DEBUG   :       #11 pc 000000000006ad90  /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64) (BuildId: 218db69eb66aeb253a34d956906a8bba)

This is tested by VtsHalMediaC2V1_0TargetComponentTest#testInputBuffer().

Fix this by guarding against this condition, as done in SimpleC2Component[1]

[1] https://android.googlesource.com/platform/frameworks/av/+/refs/heads/main/media/codec2/components/base/SimpleC2Component.cpp#1141
Test: atest VtsHalMediaC2V1_0TargetComponentTest
Change-Id: I407f8f7fb420bd993a665c0a7cb10ad1e224d0fb
Signed-off-by: Mattijs Korpershoek <[email protected]>

diff --git a/components/EncodeComponent.cpp b/components/EncodeComponent.cpp
index 5d1d64a..45c1952 100644
--- a/components/EncodeComponent.cpp
+++ b/components/EncodeComponent.cpp

@@ -432,6 +432,14 @@
     ALOGV("Queuing next encode (index: %" PRIu64 ", timestamp: %" PRId64 ", EOS: %d)", index,
           timestamp, endOfStream);
 
+    // If input buffer list is not empty, it means we have some input to process
+    // on. However, input could be a null buffer. In such case, clear the buffer
+    // list before making call to process().
+    if (!work->input.buffers.empty() && !work->input.buffers[0]) {
+        ALOGD("Encountered null input buffer. Clearing the input buffer");
+        work->input.buffers.clear();
+    }
+
     // The codec 2.0 framework might queue an empty CSD request, but this is currently not
     // supported. We will return the CSD with the first encoded buffer work.
     if (work->input.buffers.empty() && !endOfStream) {