Fix MediaCodec potential use-after-free
Fix a MediaCodec potential use-after-free problem when
MediaCodec is started and onError occurs.
When onError -> SetState(UNINITAILIZED), there is a timing that
returnBuffersToCodec() is done and mState is not set to
UNINITAILIZED. At this moment, if getBuffer(..) is call, null
buffer will be gotten. Usually, APK will use is without checking,
and it cause the problem.
Test: manual with YouTube
Test: atest CtsMediaCodecTestCases -- --feature-flags:flag-value \
codec_fwk/android.media.codec.set_state_early=true
Bug: 298613712
Flag: codec_fwk.android.media.codec.set_state_early
Change-Id: I4e9a4d3be7227e68ef2f59df4602d75fdc454001
diff --git a/media/aconfig/codec_fwk.aconfig b/media/aconfig/codec_fwk.aconfig
index a2b6a82..da422b5 100644
--- a/media/aconfig/codec_fwk.aconfig
+++ b/media/aconfig/codec_fwk.aconfig
@@ -13,6 +13,16 @@
}
flag {
+ name: "set_state_early"
+ namespace: "codec_fwk"
+ description: "Bugfix flag for setting state early to avoid a race condition"
+ bug: "298613712"
+ metadata {
+ purpose: PURPOSE_BUGFIX
+ }
+}
+
+flag {
name: "dynamic_color_aspects"
is_exported: true
namespace: "codec_fwk"
diff --git a/media/libstagefright/MediaCodec.cpp b/media/libstagefright/MediaCodec.cpp
index 19e51fd..4e378d4 100644
--- a/media/libstagefright/MediaCodec.cpp
+++ b/media/libstagefright/MediaCodec.cpp
@@ -6052,6 +6052,10 @@
mErrorLog.clear();
}
+ if (android::media::codec::provider_->set_state_early()) {
+ mState = newState;
+ }
+
if (newState == UNINITIALIZED) {
// return any straggling buffers, e.g. if we got here on an error
returnBuffersToCodec();
@@ -6062,7 +6066,9 @@
mFlags &= ~kFlagSawMediaServerDie;
}
- mState = newState;
+ if (!android::media::codec::provider_->set_state_early()) {
+ mState = newState;
+ }
if (mBatteryChecker != nullptr) {
mBatteryChecker->setExecuting(isExecuting());