Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 21e79dbd authored by Emilian Peev's avatar Emilian Peev
Browse files

Camera: Resize the output slot vector when needed 

The output slot vector will be initialized with the total number of
buffers per output and any buffers that get attached are indexed via
the returned slot value. However there is no guarantee that the slot
will be within the [0, totalNumberOfBuffers) range. The bufffer queue
can return anything from [0, BufferQueue::NUM_BUFFER_SLOTS) and this
can result in invalid memory operations and potential instabilities.
The resolve this validate the slot value and resize the output slot
vector accordingly.

Bug: 74828453
Test: Camera CTS
Change-Id: I20502000a5c278eb9a81600282d1fad98455a2c4
parent c5678c49

services/camera/libcameraservice/device3/Camera3StreamSplitter.cpp

+8 −0
Original line number Diff line number Diff line
@@ -423,12 +423,20 @@ status_t Camera3StreamSplitter::attachBufferToOutputs(ANativeWindowBuffer* anb, 
                    __FUNCTION__, gbp.get(), strerror(-res), res);

            return res;

        }

        if ((slot < 0) || (slot > BufferQueue::NUM_BUFFER_SLOTS)) {

            SP_LOGE("%s: Slot received %d either bigger than expected maximum %d or negative!",

                    __FUNCTION__, slot, BufferQueue::NUM_BUFFER_SLOTS);

            return BAD_VALUE;

        }

        //During buffer attach 'mMutex' is not held which makes the removal of

        //"gbp" possible. Check whether this is the case and continue.

        if (mOutputSlots[gbp] == nullptr) {

            continue;

        }

        auto& outputSlots = *mOutputSlots[gbp];

        if (static_cast<size_t> (slot + 1) > outputSlots.size()) {

            outputSlots.resize(slot + 1);

        }

        if (outputSlots[slot] != nullptr) {

            // If the buffer is attached to a slot which already contains a buffer,

            // the previous buffer will be removed from the output queue. Decrement