diff options
author | Chong Zhang | 2018-05-11 16:12:51 -0500 |
---|---|---|
committer | android-build-merger | 2018-05-11 16:12:51 -0500 |
commit | 42eca4926f31b3ca271df50584a0876244ad9c14 (patch) | |
tree | 113157db95c4b774bf34f97bd6c05b1f8cadbbc0 /cas | |
parent | 4a13ef631e39a180671499bc8442483306f93be3 (diff) | |
parent | e1ce74509e06f56fffa484d76aada8c429397b26 (diff) | |
download | platform-hardware-interfaces-42eca4926f31b3ca271df50584a0876244ad9c14.tar.gz platform-hardware-interfaces-42eca4926f31b3ca271df50584a0876244ad9c14.tar.xz platform-hardware-interfaces-42eca4926f31b3ca271df50584a0876244ad9c14.zip |
cas: do not use hidl_memory if size is > SIZE_MAX
am: e1ce74509e
Change-Id: I4fe12a4ec828605413329d2f771f66bb12e3e9e9
Diffstat (limited to 'cas')
-rw-r--r-- | cas/1.0/default/DescramblerImpl.cpp | 29 |
1 files changed, 18 insertions, 11 deletions
diff --git a/cas/1.0/default/DescramblerImpl.cpp b/cas/1.0/default/DescramblerImpl.cpp index 1f899337..6d5e2d5e 100644 --- a/cas/1.0/default/DescramblerImpl.cpp +++ b/cas/1.0/default/DescramblerImpl.cpp | |||
@@ -96,13 +96,13 @@ Return<void> DescramblerImpl::descramble( | |||
96 | descramble_cb _hidl_cb) { | 96 | descramble_cb _hidl_cb) { |
97 | ALOGV("%s", __FUNCTION__); | 97 | ALOGV("%s", __FUNCTION__); |
98 | 98 | ||
99 | // Get a local copy of the shared_ptr for the plugin. Note that before | 99 | // hidl_memory's size is stored in uint64_t, but mapMemory's mmap will map |
100 | // calling the HIDL callback, this shared_ptr must be manually reset, | 100 | // size in size_t. If size is over SIZE_MAX, mapMemory mapMemory could succeed |
101 | // since the client side could proceed as soon as the callback is called | 101 | // but the mapped memory's actual size will be smaller than the reported size. |
102 | // without waiting for this method to go out of scope. | 102 | if (srcBuffer.heapBase.size() > SIZE_MAX) { |
103 | std::shared_ptr<DescramblerPlugin> holder = std::atomic_load(&mPluginHolder); | 103 | ALOGE("Invalid hidl_memory size: %llu", srcBuffer.heapBase.size()); |
104 | if (holder.get() == nullptr) { | 104 | android_errorWriteLog(0x534e4554, "79376389"); |
105 | _hidl_cb(toStatus(INVALID_OPERATION), 0, NULL); | 105 | _hidl_cb(toStatus(BAD_VALUE), 0, NULL); |
106 | return Void(); | 106 | return Void(); |
107 | } | 107 | } |
108 | 108 | ||
@@ -112,7 +112,6 @@ Return<void> DescramblerImpl::descramble( | |||
112 | // mapped ashmem, since the offset and size is controlled by client. | 112 | // mapped ashmem, since the offset and size is controlled by client. |
113 | if (srcMem == NULL) { | 113 | if (srcMem == NULL) { |
114 | ALOGE("Failed to map src buffer."); | 114 | ALOGE("Failed to map src buffer."); |
115 | holder.reset(); | ||
116 | _hidl_cb(toStatus(BAD_VALUE), 0, NULL); | 115 | _hidl_cb(toStatus(BAD_VALUE), 0, NULL); |
117 | return Void(); | 116 | return Void(); |
118 | } | 117 | } |
@@ -121,7 +120,6 @@ Return<void> DescramblerImpl::descramble( | |||
121 | ALOGE("Invalid src buffer range: offset %llu, size %llu, srcMem size %llu", | 120 | ALOGE("Invalid src buffer range: offset %llu, size %llu, srcMem size %llu", |
122 | srcBuffer.offset, srcBuffer.size, (uint64_t)srcMem->getSize()); | 121 | srcBuffer.offset, srcBuffer.size, (uint64_t)srcMem->getSize()); |
123 | android_errorWriteLog(0x534e4554, "67962232"); | 122 | android_errorWriteLog(0x534e4554, "67962232"); |
124 | holder.reset(); | ||
125 | _hidl_cb(toStatus(BAD_VALUE), 0, NULL); | 123 | _hidl_cb(toStatus(BAD_VALUE), 0, NULL); |
126 | return Void(); | 124 | return Void(); |
127 | } | 125 | } |
@@ -139,7 +137,6 @@ Return<void> DescramblerImpl::descramble( | |||
139 | "srcOffset %llu, totalBytesInSubSamples %llu, srcBuffer size %llu", | 137 | "srcOffset %llu, totalBytesInSubSamples %llu, srcBuffer size %llu", |
140 | srcOffset, totalBytesInSubSamples, srcBuffer.size); | 138 | srcOffset, totalBytesInSubSamples, srcBuffer.size); |
141 | android_errorWriteLog(0x534e4554, "67962232"); | 139 | android_errorWriteLog(0x534e4554, "67962232"); |
142 | holder.reset(); | ||
143 | _hidl_cb(toStatus(BAD_VALUE), 0, NULL); | 140 | _hidl_cb(toStatus(BAD_VALUE), 0, NULL); |
144 | return Void(); | 141 | return Void(); |
145 | } | 142 | } |
@@ -158,7 +155,6 @@ Return<void> DescramblerImpl::descramble( | |||
158 | "dstOffset %llu, totalBytesInSubSamples %llu, srcBuffer size %llu", | 155 | "dstOffset %llu, totalBytesInSubSamples %llu, srcBuffer size %llu", |
159 | dstOffset, totalBytesInSubSamples, srcBuffer.size); | 156 | dstOffset, totalBytesInSubSamples, srcBuffer.size); |
160 | android_errorWriteLog(0x534e4554, "67962232"); | 157 | android_errorWriteLog(0x534e4554, "67962232"); |
161 | holder.reset(); | ||
162 | _hidl_cb(toStatus(BAD_VALUE), 0, NULL); | 158 | _hidl_cb(toStatus(BAD_VALUE), 0, NULL); |
163 | return Void(); | 159 | return Void(); |
164 | } | 160 | } |
@@ -167,6 +163,17 @@ Return<void> DescramblerImpl::descramble( | |||
167 | dstBuffer.secureMemory.getNativeHandle()); | 163 | dstBuffer.secureMemory.getNativeHandle()); |
168 | dstPtr = static_cast<void *>(handle); | 164 | dstPtr = static_cast<void *>(handle); |
169 | } | 165 | } |
166 | |||
167 | // Get a local copy of the shared_ptr for the plugin. Note that before | ||
168 | // calling the HIDL callback, this shared_ptr must be manually reset, | ||
169 | // since the client side could proceed as soon as the callback is called | ||
170 | // without waiting for this method to go out of scope. | ||
171 | std::shared_ptr<DescramblerPlugin> holder = std::atomic_load(&mPluginHolder); | ||
172 | if (holder.get() == nullptr) { | ||
173 | _hidl_cb(toStatus(INVALID_OPERATION), 0, NULL); | ||
174 | return Void(); | ||
175 | } | ||
176 | |||
170 | // Casting hidl SubSample to DescramblerPlugin::SubSample, but need | 177 | // Casting hidl SubSample to DescramblerPlugin::SubSample, but need |
171 | // to ensure structs are actually idential | 178 | // to ensure structs are actually idential |
172 | 179 | ||