diff options
author | Angela Stegmaier | 2017-02-27 15:05:39 -0600 |
---|---|---|
committer | Buddy Liong | 2017-07-17 13:20:24 -0500 |
commit | 75810b7bb53d2d076a96c2d1e2f8c61b3c12cb6b (patch) | |
tree | bc5ca40041d4c8620c3954a15dd0db4d936877fa /libdce_android.c | |
parent | 4a3df475bc54ae16fd22febeaa8363315708fc1a (diff) | |
download | hardware-ti-libdce-75810b7bb53d2d076a96c2d1e2f8c61b3c12cb6b.tar.gz hardware-ti-libdce-75810b7bb53d2d076a96c2d1e2f8c61b3c12cb6b.tar.xz hardware-ti-libdce-75810b7bb53d2d076a96c2d1e2f8c61b3c12cb6b.zip |
libdce[Android]: Fix NULL pointer dereference in dce_buf_unlock
In the case where dce_buf_lock fails due to dce_ipc_init failure,
then MmRpcHandle is not guaranteed to be initialized and could
result in a NULL pointer de-reference. In some use-cases where the
IPUMM takes a longer time to come up, this was resulting in a crash,
causing the Android media service to stop and restart several
times.
This patch fixes the NULL pointer de-reference by first checking if
the IPC is initialized in dce_buf_unlock before calling the IPC API.
This patch also has a minor cleanup of an un-used static global variable.
Change-Id: Idb74fb60c0b9696a0be87e4808b537ebfc84cd7e
Signed-off-by: Angela Stegmaier <angelabaker@ti.com>
Diffstat (limited to 'libdce_android.c')
-rw-r--r-- | libdce_android.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/libdce_android.c b/libdce_android.c index 0c6065a..fab39e6 100644 --- a/libdce_android.c +++ b/libdce_android.c | |||
@@ -45,7 +45,6 @@ | |||
45 | extern MmRpc_Handle MmRpcHandle[]; | 45 | extern MmRpc_Handle MmRpcHandle[]; |
46 | extern pthread_mutex_t ipc_mutex; | 46 | extern pthread_mutex_t ipc_mutex; |
47 | int is_ipc_ready = 0; | 47 | int is_ipc_ready = 0; |
48 | static int dce_buf_count = 0; | ||
49 | 48 | ||
50 | int dce_buf_lock(int num, size_t *handle) | 49 | int dce_buf_lock(int num, size_t *handle) |
51 | { | 50 | { |
@@ -92,6 +91,11 @@ int dce_buf_unlock(int num, size_t *handle) | |||
92 | 91 | ||
93 | pthread_mutex_lock(&ipc_mutex); | 92 | pthread_mutex_lock(&ipc_mutex); |
94 | 93 | ||
94 | if (!is_ipc_ready) { | ||
95 | pthread_mutex_unlock(&ipc_mutex); | ||
96 | return DCE_EIPC_CALL_FAIL; | ||
97 | } | ||
98 | |||
95 | _ASSERT(num > 0, DCE_EINVALID_INPUT); | 99 | _ASSERT(num > 0, DCE_EINVALID_INPUT); |
96 | 100 | ||
97 | desc = malloc(num * sizeof(MmRpc_BufDesc)); | 101 | desc = malloc(num * sizeof(MmRpc_BufDesc)); |