Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1859a38c authored by Yin-Chia Yeh's avatar Yin-Chia Yeh
Browse files

RESTRICT AUTOMERGE: Camera: fix use after free in sensor timestamp 

The metadata object might be overriden later and has it memory
re-allocated; hence snaping the sensor timestamp value before
we call into any method that might change the metadata.

Test: build
Bug: 150944913
Merged-In: I5b10b680e0cce96ca49e1772770adb4835545472
Change-Id: I5b10b680e0cce96ca49e1772770adb4835545472
parent d8d4e803

services/camera/libcameraservice/device3/Camera3Device.cpp

+4 −1
Original line number Diff line number Diff line
@@ -3000,6 +3000,9 @@ void Camera3Device::sendCaptureResult(CameraMetadata &pendingMetadata, 
                frameNumber);

        return;

    }



    nsecs_t sensorTimestamp = timestamp.data.i64[0];



    for (auto& physicalMetadata : captureResult.mPhysicalMetadatas) {

        camera_metadata_entry timestamp =

                physicalMetadata.mPhysicalCameraMetadata.find(ANDROID_SENSOR_TIMESTAMP);
@@ -3019,7 +3022,7 @@ void Camera3Device::sendCaptureResult(CameraMetadata &pendingMetadata, 
    }



    mTagMonitor.monitorMetadata(TagMonitor::RESULT,

            frameNumber, timestamp.data.i64[0], captureResult.mMetadata);

            frameNumber, sensorTimestamp, captureResult.mMetadata);



    insertResultLocked(&captureResult, frameNumber);

}