libcamera2ndk_vendor: Fix potential use after free of camera_metadata_t

Bug: 131566406 Test: Use libcamera2ndk_vendor multiple times without seeing logs / assertions indicating null metadata / corrupted metadata in allocateACaptureRequest. Change-Id: I2154a83bb97a4dd945f15328769b811e9485a0ac Signed-off-by: Jayant Chowdhary <jchowdhary@google.com>
5 years ago · b61a9d4cde
parent 4714c214a0
commit b61a9d4cde
3 changed files with 14 additions and 13 deletions
--- a/camera/ndk/ndk_vendor/impl/ACameraDevice.cpp
+++ b/camera/ndk/ndk_vendor/impl/ACameraDevice.cpp
@ -262,12 +262,12 @@ camera_status_t CameraDevice::isSessionConfigurationSupported(
 void CameraDevice::addRequestSettingsMetadata(ACaptureRequest *aCaptureRequest,
        sp<CaptureRequest> &req) {
    CameraMetadata metadataCopy = aCaptureRequest->settings->getInternalData();
-    const camera_metadata_t *camera_metadata = metadataCopy.getAndLock();
+    camera_metadata_t *camera_metadata = metadataCopy.release();
    HCameraMetadata hCameraMetadata;
-    utils::convertToHidl(camera_metadata, &hCameraMetadata);
-    metadataCopy.unlock(camera_metadata);
+    utils::convertToHidl(camera_metadata, &hCameraMetadata, true);
    req->mPhysicalCameraSettings.resize(1);
    req->mPhysicalCameraSettings[0].settings.metadata(std::move(hCameraMetadata));
+    req->mPhysicalCameraSettings[0].id = getId();
 }

 camera_status_t CameraDevice::updateOutputConfigurationLocked(ACaptureSessionOutput *output) {
@ -398,10 +398,9 @@ void CameraDevice::allocateOneCaptureRequestMetadata(
    cameraSettings.id = id;
    // TODO: Do we really need to copy the metadata here ?
    CameraMetadata metadataCopy = metadata->getInternalData();
-    const camera_metadata_t *cameraMetadata = metadataCopy.getAndLock();
+    camera_metadata_t *cameraMetadata = metadataCopy.release();
    HCameraMetadata hCameraMetadata;
-    utils::convertToHidl(cameraMetadata, &hCameraMetadata);
-    metadataCopy.unlock(cameraMetadata);
+    utils::convertToHidl(cameraMetadata, &hCameraMetadata, true);
    if (metadata != nullptr) {
        if (hCameraMetadata.data() != nullptr &&
            mCaptureRequestMetadataQueue != nullptr &&
@ -426,11 +425,12 @@ CameraDevice::allocateACaptureRequest(sp<CaptureRequest>& req, const char* devic
        const std::string& id = req->mPhysicalCameraSettings[i].id;
        CameraMetadata clone;
        utils::convertFromHidlCloned(req->mPhysicalCameraSettings[i].settings.metadata(), &clone);
+        camera_metadata_t *clonep = clone.release();
        if (id == deviceId) {
-            pRequest->settings = new ACameraMetadata(clone.release(), ACameraMetadata::ACM_REQUEST);
+            pRequest->settings = new ACameraMetadata(clonep, ACameraMetadata::ACM_REQUEST);
        } else {
            pRequest->physicalSettings[req->mPhysicalCameraSettings[i].id] =
-                    new ACameraMetadata(clone.release(), ACameraMetadata::ACM_REQUEST);
+                    new ACameraMetadata(clonep, ACameraMetadata::ACM_REQUEST);
        }
    }
    pRequest->targets = new ACameraOutputTargets();
--- a/camera/ndk/ndk_vendor/impl/utils.cpp
+++ b/camera/ndk/ndk_vendor/impl/utils.cpp
@ -64,13 +64,14 @@ bool convertFromHidlCloned(const HCameraMetadata &metadata, CameraMetadata *rawM
    return true;
 }

-// Note: existing data in dst will be gone. Caller still owns the memory of src
-void convertToHidl(const camera_metadata_t *src, HCameraMetadata* dst) {
+// Note: existing data in dst will be gone. dst owns memory if shouldOwn is set
+//       to true.
+void convertToHidl(const camera_metadata_t *src, HCameraMetadata* dst, bool shouldOwn) {
    if (src == nullptr) {
        return;
    }
    size_t size = get_camera_metadata_size(src);
-    dst->setToExternal((uint8_t *) src, size);
+    dst->setToExternal((uint8_t *) src, size, shouldOwn);
    return;
 }

--- a/camera/ndk/ndk_vendor/impl/utils.h
+++ b/camera/ndk/ndk_vendor/impl/utils.h
@ -168,8 +168,8 @@ HRotation convertToHidl(int rotation);

 bool convertFromHidlCloned(const HCameraMetadata &metadata, CameraMetadata *rawMetadata);

-// Note: existing data in dst will be gone. Caller still owns the memory of src
-void convertToHidl(const camera_metadata_t *src, HCameraMetadata* dst);
+// Note: existing data in dst will be gone.
+void convertToHidl(const camera_metadata_t *src, HCameraMetadata* dst, bool shouldOwn = false);

 TemplateId convertToHidl(ACameraDevice_request_template templateId);