Skip to content
Snippets Groups Projects
Commit e5b5b5f0 authored by Mattijs Korpershoek's avatar Mattijs Korpershoek
Browse files

v4l2_codec2: encode: fix crash when input.buffers[0] is nullptr 

The client can crash the V4L2EncodeComponent by passing an input with
one buffer where buffer==nullptr:

F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
F DEBUG   : Build fingerprint: 'TI/am62p/am62p:14/UQ1A.240105.002/eng.mkorpe.20240325.115051:userdebug/test-keys'
F DEBUG   : Revision: '0'
F DEBUG   : ABI: 'arm64'
F DEBUG   : Timestamp: 2024-04-09 07:53:02.494446645+0000
F DEBUG   : Process uptime: 8s
F DEBUG   : Cmdline: /vendor/bin/hw/android.hardware.media.c2@1.0-service-v4l2
F DEBUG   : pid: 4949, tid: 4955, name: V4L2EncodeCompo  >>> /vendor/bin/hw/android.hardware.media.c2@1.0-service-v4l2 <<<
F DEBUG   : uid: 1013
F DEBUG   : tagged_addr_ctrl: 0000000000000001 (PR_TAGGED_ADDR_ENABLE)
F DEBUG   : signal 0 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr --------
F DEBUG   : Cause: null pointer dereference
F DEBUG   :     x0  0000000000000000  x1  b400007acbed72e8  x2  b400007a3beda7f0  x3  0000000000000010
F DEBUG   :     x4  020000797bedb2c0  x5  b400007a2bed1878  x6  0000000000000001  x7  7f7f7f7f7f7fff7f
F DEBUG   :     x8  00000078e68d0710  x9  b40000795bed9990  x10 b40000795bed99a0  x11 0000000000000003
F DEBUG   :     x12 0000000000000000  x13 0000000000000004  x14 0000000000000276  x15 0000000000000000
F DEBUG   :     x16 0000007b7c1eac60  x17 0000007b80a6c770  x18 00000078e5aa2000  x19 b400007a0bede5a0
F DEBUG   :     x20 00000078e68d07e0  x21 0000000000000000  x22 0000000000000000  x23 b400007a9bed6210
F DEBUG   :     x24 0000000000000000  x25 00000078e68d1000  x26 0000000000000002  x27 0000007b8a387b88
F DEBUG   :     x28 00000000000fc000  x29 00000078e68d0680
F DEBUG   :     lr  0000007b7c1cbb20  sp  00000078e68d0680  pc  0000007b80a6c778  pst 0000000080000000
F DEBUG   : 12 total frames
F DEBUG   : backtrace:
F DEBUG   :       #00 pc 0000000000069778  /vendor/lib64/libcodec2_vndk.so (C2Buffer::data() const+8) (BuildId: 1d42f8105aac0515945328329706c2e1)
F DEBUG   :       #01 pc 0000000000042b1c  /vendor/lib64/libv4l2_codec2_components.so (android::V4L2EncodeComponent::queueTask(std::__1::unique_ptr<C2Work, std::__1::default_delete<C2Work> >)+348) (BuildId: 2f6128320f05c503e8ee6dc9e05df980)
F DEBUG   :       #02 pc 00000000000470a8  /vendor/lib64/libv4l2_codec2_components.so (base::internal::Invoker<base::internal::BindState<void (android::V4L2EncodeComponent::*)(std::__1::unique_ptr<C2Work, std::__1::default_delete<C2Work> >), base::WeakPtr<android::V4L2EncodeComponent>, std::__1::unique_ptr<C2Work, std::__1::default_delete<C2Work> > >, void ()>::RunOnce(base::internal::BindStateBase*)+120) (BuildId: 2f6128320f05c503e8ee6dc9e05df980)
F DEBUG   :       #03 pc 00000000000acca0  /vendor/lib64/libchrome.so (base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)+192) (BuildId: 87e214635dddac0ae594ee401576361a)
F DEBUG   :       #04 pc 00000000000cc9ac  /vendor/lib64/libchrome.so (base::MessageLoop::RunTask(base::PendingTask*)+348) (BuildId: 87e214635dddac0ae594ee401576361a)
F DEBUG   :       #05 pc 00000000000ccd84  /vendor/lib64/libchrome.so (base::MessageLoop::DoWork()+468) (BuildId: 87e214635dddac0ae594ee401576361a)
F DEBUG   :       #06 pc 00000000000ce080  /vendor/lib64/libchrome.so (base::MessagePumpDefault::Run(base::MessagePump::Delegate*)+96) (BuildId: 87e214635dddac0ae594ee401576361a)
F DEBUG   :       #07 pc 00000000000f1fec  /vendor/lib64/libchrome.so (base::RunLoop::Run()+60) (BuildId: 87e214635dddac0ae594ee401576361a)
F DEBUG   :       #08 pc 0000000000111e88  /vendor/lib64/libchrome.so (base::Thread::ThreadMain()+392) (BuildId: 87e214635dddac0ae594ee401576361a)
F DEBUG   :       #09 pc 000000000010f040  /vendor/lib64/libchrome.so (base::(anonymous namespace)::ThreadFunc(void*)+128) (BuildId: 87e214635dddac0ae594ee401576361a)
F DEBUG   :       #10 pc 00000000000d6fb0  /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+208) (BuildId: 218db69eb66aeb253a34d956906a8bba)
F DEBUG   :       #11 pc 000000000006ad90  /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64) (BuildId: 218db69eb66aeb253a34d956906a8bba)

This is tested by VtsHalMediaC2V1_0TargetComponentTest#testInputBuffer().

Fix this by guarding against this condition, as done in SimpleC2Component[1]

[1] https://android.googlesource.com/platform/frameworks/av/+/refs/heads/main/media/codec2/components/base/SimpleC2Component.cpp#1141


Test: atest VtsHalMediaC2V1_0TargetComponentTest
Change-Id: I407f8f7fb420bd993a665c0a7cb10ad1e224d0fb
Signed-off-by: default avatarMattijs Korpershoek <mkorpershoek@baylibre.com>
parent 5c00f2d1
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment