Merge tag 'android-10.0.0_r37' into staging/lineage-17.1_merge-android-10.0.0_r37

Android 10.0.0 Release 37 (QQ3A.200605.001)

* tag 'android-10.0.0_r37': (47 commits)
  RESTRICT AUTOMERGE: Camera: fix use after free in sensor timestamp
  keep tx3g{Buffer,Size,Filled} in sync
  Fix race condition in AudioTrack::releaseBuffer()
  Fix race condition in AudioRecord::releaseBuffer()
  rtsp: fix integer overflow caused by malformed packets
  IDrm: fix uninitialized variable in GET_OFFLINE_LICENSE_STATE
  audio policy: fix disordered sequence while changing device
  RESTRICT AUTOMERGE: Camera: fix use after free in sensor timestamp
  RESTRICT AUTOMERGE: Camera: fix use after free in sensor timestamp
  BnCrypto: fix use-before-init in CREATE_PLUGIN
  Camera: Add onCameraOpened/onCameraClosed callbacks
  [DO NOT MERGE] Fix Heap use after free in clearkey getSecureStops
  Check if calling uid is system uid for setAllowedPolicyCapture.
  clearkey default: parsePssh securely
  RESTRICT AUTOMERGE CCodec: make config consistent before/after flush
  Reduce the latecy of encoding 1st frame
  [media][sfplugin] fix -Wdangling-gsl
  [DO NOT MERGE] Fix uninitialized data in IHDCP decrypt
  OpusHeader: Fix integer overflow in GetOpusHeaderBuffers
  MPEG4Extractor: check the default sample info before checking the validity of sample size.
  ...

Change-Id: Ibb33de8b4828ed99095af7d629ffc290c188e10d
Signed-off-by: Varun Date <[email protected]>

Author: haggertk

camera/aidl/android/hardware/ICameraServiceListener.aidl

@@ -83,4 +83,12 @@ interface ICameraServiceListener
      * can retry after receiving this callback.
      */
     oneway void onCameraAccessPrioritiesChanged();
+
+    /**
+     * Notify registered clients about cameras being opened/closed.
+     * Only clients with android.permission.CAMERA_OPEN_CLOSE_LISTENER permission
+     * will receive such callbacks.
+     */
+    oneway void onCameraOpened(String cameraId, String clientPackageId);
+    oneway void onCameraClosed(String cameraId);
 }

camera/ndk/impl/ACameraManager.h

@@ -92,6 +92,12 @@ class CameraManagerGlobal final : public RefBase {
         }
 
         virtual binder::Status onCameraAccessPrioritiesChanged();
+        virtual binder::Status onCameraOpened(const String16&, const String16&) {
+            return binder::Status::ok();
+        }
+        virtual binder::Status onCameraClosed(const String16&) {
+            return binder::Status::ok();
+        }
 
       private:
         const wp<CameraManagerGlobal> mCameraManager;

camera/tests/CameraBinderTests.cpp

@@ -95,6 +95,17 @@ class TestCameraServiceListener : public hardware::BnCameraServiceListener {
         return binder::Status::ok();
     }
 
+    virtual binder::Status onCameraOpened(const String16& /*cameraId*/,
+            const String16& /*clientPackageName*/) {
+        // No op
+        return binder::Status::ok();
+    }
+
+    virtual binder::Status onCameraClosed(const String16& /*cameraId*/) {
+        // No op
+        return binder::Status::ok();
+    }
+
     bool waitForNumCameras(size_t num) const {
         Mutex::Autolock l(mLock);
 

drm/libmediadrm/IDrm.cpp

@@ -1071,6 +1071,7 @@ status_t BnDrm::onTransact(
             Vector<uint8_t> keySetId;
             readVector(data, keySetId);
             DrmPlugin::OfflineLicenseState state;
+            state = DrmPlugin::OfflineLicenseState::kOfflineLicenseStateUnknown;
             status_t result = getOfflineLicenseState(keySetId, &state);
             reply->writeInt32(static_cast<DrmPlugin::OfflineLicenseState>(state));
             reply->writeInt32(result);

drm/mediadrm/plugins/clearkey/default/InitDataParser.cpp

@@ -76,10 +76,21 @@ android::status_t InitDataParser::parse(const Vector<uint8_t>& initData,
 
 android::status_t InitDataParser::parsePssh(const Vector<uint8_t>& initData,
         Vector<const uint8_t*>* keyIds) {
+    // Description of PSSH format:
+    // https://w3c.github.io/encrypted-media/format-registry/initdata/cenc.html
     size_t readPosition = 0;
 
-    // Validate size field
     uint32_t expectedSize = initData.size();
+    const char psshIdentifier[4] = {'p', 's', 's', 'h'};
+    const uint8_t psshVersion1[4] = {1, 0, 0, 0};
+    uint32_t keyIdCount = 0;
+    size_t headerSize = sizeof(expectedSize) + sizeof(psshIdentifier) +
+                        sizeof(psshVersion1) + kSystemIdSize + sizeof(keyIdCount);
+    if (initData.size() < headerSize) {
+        return android::ERROR_DRM_CANNOT_HANDLE;
+    }
+
+    // Validate size field
     expectedSize = htonl(expectedSize);
     if (memcmp(&initData[readPosition], &expectedSize,
                sizeof(expectedSize)) != 0) {
@@ -88,15 +99,13 @@ android::status_t InitDataParser::parsePssh(const Vector<uint8_t>& initData,
     readPosition += sizeof(expectedSize);
 
     // Validate PSSH box identifier
-    const char psshIdentifier[4] = {'p', 's', 's', 'h'};
     if (memcmp(&initData[readPosition], psshIdentifier,
                sizeof(psshIdentifier)) != 0) {
         return android::ERROR_DRM_CANNOT_HANDLE;
     }
     readPosition += sizeof(psshIdentifier);
 
     // Validate EME version number
-    const uint8_t psshVersion1[4] = {1, 0, 0, 0};
     if (memcmp(&initData[readPosition], psshVersion1,
                sizeof(psshVersion1)) != 0) {
         return android::ERROR_DRM_CANNOT_HANDLE;
@@ -110,12 +119,14 @@ android::status_t InitDataParser::parsePssh(const Vector<uint8_t>& initData,
     readPosition += kSystemIdSize;
 
     // Read key ID count
-    uint32_t keyIdCount;
     memcpy(&keyIdCount, &initData[readPosition], sizeof(keyIdCount));
     keyIdCount = ntohl(keyIdCount);
     readPosition += sizeof(keyIdCount);
-    if (readPosition + ((uint64_t)keyIdCount * kKeyIdSize) !=
-            initData.size() - sizeof(uint32_t)) {
+
+    uint64_t psshSize = 0;
+    if (__builtin_mul_overflow(keyIdCount, kKeyIdSize, &psshSize) ||
+        __builtin_add_overflow(readPosition, psshSize, &psshSize) ||
+        psshSize != initData.size() - sizeof(uint32_t) /* DataSize(0) */) {
         return android::ERROR_DRM_CANNOT_HANDLE;
     }
 

drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp

@@ -111,6 +111,8 @@ void DrmPlugin::initProperties() {
 // The content in this secure stop is implementation dependent, the clearkey
 // secureStop does not serve as a reference implementation.
 void DrmPlugin::installSecureStop(const hidl_vec<uint8_t>& sessionId) {
+    Mutex::Autolock lock(mSecureStopLock);
+
     ClearkeySecureStop clearkeySecureStop;
     clearkeySecureStop.id = uint32ToVector(++mNextSecureStopId);
     clearkeySecureStop.data.assign(sessionId.begin(), sessionId.end());
@@ -744,6 +746,7 @@ Return<void> DrmPlugin::getOfflineLicenseState(const KeySetId& keySetId,
 }
 
 Return<void> DrmPlugin::getSecureStops(getSecureStops_cb _hidl_cb) {
+    mSecureStopLock.lock();
     std::vector<SecureStop> stops;
     for (auto itr = mSecureStops.begin(); itr != mSecureStops.end(); ++itr) {
         ClearkeySecureStop clearkeyStop = itr->second;
@@ -755,26 +758,32 @@ Return<void> DrmPlugin::getSecureStops(getSecureStops_cb _hidl_cb) {
         stop.opaqueData = toHidlVec(stopVec);
         stops.push_back(stop);
     }
+    mSecureStopLock.unlock();
+
     _hidl_cb(Status::OK, stops);
     return Void();
 }
 
 Return<void> DrmPlugin::getSecureStop(const hidl_vec<uint8_t>& secureStopId,
         getSecureStop_cb _hidl_cb) {
-    SecureStop stop;
+    std::vector<uint8_t> stopVec;
+
+    mSecureStopLock.lock();
     auto itr = mSecureStops.find(toVector(secureStopId));
     if (itr != mSecureStops.end()) {
         ClearkeySecureStop clearkeyStop = itr->second;
-        std::vector<uint8_t> stopVec;
         stopVec.insert(stopVec.end(), clearkeyStop.id.begin(), clearkeyStop.id.end());
         stopVec.insert(stopVec.end(), clearkeyStop.data.begin(), clearkeyStop.data.end());
+    }
+    mSecureStopLock.unlock();
 
+    SecureStop stop;
+    if (!stopVec.empty()) {
         stop.opaqueData = toHidlVec(stopVec);
         _hidl_cb(Status::OK, stop);
     } else {
         _hidl_cb(Status::BAD_VALUE, stop);
     }
-
     return Void();
 }
 
@@ -787,10 +796,12 @@ Return<Status> DrmPlugin::releaseAllSecureStops() {
 }
 
 Return<void> DrmPlugin::getSecureStopIds(getSecureStopIds_cb _hidl_cb) {
+    mSecureStopLock.lock();
     std::vector<SecureStopId> ids;
     for (auto itr = mSecureStops.begin(); itr != mSecureStops.end(); ++itr) {
         ids.push_back(itr->first);
     }
+    mSecureStopLock.unlock();
 
     _hidl_cb(Status::OK, toHidlVec(ids));
     return Void();
@@ -856,13 +867,17 @@ Return<Status> DrmPlugin::releaseSecureStops(const SecureStopRelease& ssRelease)
 }
 
 Return<Status> DrmPlugin::removeSecureStop(const hidl_vec<uint8_t>& secureStopId) {
+    Mutex::Autolock lock(mSecureStopLock);
+
     if (1 != mSecureStops.erase(toVector(secureStopId))) {
         return Status::BAD_VALUE;
     }
     return Status::OK;
 }
 
 Return<Status> DrmPlugin::removeAllSecureStops() {
+    Mutex::Autolock lock(mSecureStopLock);
+
     mSecureStops.clear();
     mNextSecureStopId = kSecureStopIdStart;
     return Status::OK;

drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h

@@ -416,6 +416,7 @@ struct DrmPlugin : public IDrmPlugin {
     }
 
     DeviceFiles mFileHandle;
+    Mutex mSecureStopLock;
 
     CLEARKEY_DISALLOW_COPY_AND_ASSIGN_AND_NEW(DrmPlugin);
 };

media/codec2/components/raw/C2SoftRawDec.cpp

@@ -58,7 +58,7 @@ class C2SoftRawDec::IntfImpl : public SimpleInterface<void>::BaseParams {
         addParameter(
                 DefineParam(mSampleRate, C2_PARAMKEY_SAMPLE_RATE)
                 .withDefault(new C2StreamSampleRateInfo::output(0u, 44100))
-                .withFields({C2F(mSampleRate, value).inRange(8000, 384000)})
+                .withFields({C2F(mSampleRate, value).greaterThan(0)})
                 .withSetter((Setter<decltype(*mSampleRate)>::StrictValueWithNoDeps))
                 .build());