Camera: Avoid 'outputBufferSizes' out-of-bounds access

Hal interface stream configuration will iterate over all
available streams both input and output. However the
'outputBufferSizes' vector includes only buffer sizes for
output streams. If we have an input stream, then an invalid
memory access is possible. Resolve this by allocating enough
'outputBufferSizes' entries.

Bug: 72736744
Test: Camera CTS
Change-Id: I6973f1fbf499628437b7523aab6bf13c88015448

services/camera/libcameraservice/device3/Camera3Device.cpp

@@ -2400,7 +2400,7 @@ status_t Camera3Device::configureStreamsLocked(int operatingMode,
 
     Vector<camera3_stream_t*> streams;
     streams.setCapacity(config.num_streams);
-    std::vector<uint32_t> outBufSizes(mOutputStreams.size(), 0);
+    std::vector<uint32_t> bufferSizes(config.num_streams, 0);
 
 
     if (mInputStream != NULL) {
@@ -2435,7 +2435,9 @@ status_t Camera3Device::configureStreamsLocked(int operatingMode,
 
         if (outputStream->format == HAL_PIXEL_FORMAT_BLOB &&
                 outputStream->data_space == HAL_DATASPACE_V0_JFIF) {
-            outBufSizes[i] = static_cast<uint32_t>(
+            size_t k = i + ((mInputStream != nullptr) ? 1 : 0); // Input stream if present should
+                                                                // always occupy the initial entry.
+            bufferSizes[k] = static_cast<uint32_t>(
                     getJpegBufferSize(outputStream->width, outputStream->height));
         }
     }
@@ -2446,7 +2448,7 @@ status_t Camera3Device::configureStreamsLocked(int operatingMode,
     // max_buffers, usage, priv fields.
 
     const camera_metadata_t *sessionBuffer = sessionParams.getAndLock();
-    res = mInterface->configureStreams(sessionBuffer, &config, outBufSizes);
+    res = mInterface->configureStreams(sessionBuffer, &config, bufferSizes);
     sessionParams.unlock(sessionBuffer);
 
     if (res == BAD_VALUE) {
@@ -3504,7 +3506,7 @@ status_t Camera3Device::HalInterface::constructDefaultRequestSettings(
 }
 
 status_t Camera3Device::HalInterface::configureStreams(const camera_metadata_t *sessionParams,
-        camera3_stream_configuration *config, const std::vector<uint32_t>& outputBufferSizes) {
+        camera3_stream_configuration *config, const std::vector<uint32_t>& bufferSizes) {
     ATRACE_NAME("CameraHal::configureStreams");
     if (!valid()) return INVALID_OPERATION;
     status_t res = OK;
@@ -3545,7 +3547,7 @@ status_t Camera3Device::HalInterface::configureStreams(const camera_metadata_t *
         dst3_2.dataSpace = mapToHidlDataspace(src->data_space);
         dst3_2.rotation = mapToStreamRotation((camera3_stream_rotation_t) src->rotation);
         dst3_4.v3_2 = dst3_2;
-        dst3_4.bufferSize = outputBufferSizes[i];
+        dst3_4.bufferSize = bufferSizes[i];
         if (src->physical_camera_id != nullptr) {
             dst3_4.physicalCameraId = src->physical_camera_id;
         }

services/camera/libcameraservice/device3/Camera3Device.h

@@ -283,7 +283,7 @@ class Camera3Device :
                 /*out*/ camera_metadata_t **requestTemplate);
         status_t configureStreams(const camera_metadata_t *sessionParams,
                 /*inout*/ camera3_stream_configuration *config,
-                const std::vector<uint32_t>& outputBufferSizes);
+                const std::vector<uint32_t>& bufferSizes);
         status_t processCaptureRequest(camera3_capture_request_t *request);
         status_t processBatchCaptureRequests(
                 std::vector<camera3_capture_request_t*>& requests,