Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7eb18466 authored by Ray Essick's avatar Ray Essick
Browse files

Check frame handle validity before freeing buffer. 

in CameraSource::releaseRecordingFrame(), validate the
VideoNativeHandleMetadata field when received. Avoid releasing
invalid handles (and thus invalid memory) if this has been
corrupted in user space.

Bug: 37662122
Test: poc before/after on nyc-mr2
parent 9eef26c3

media/libstagefright/CameraSource.cpp

+8 −0
Original line number Diff line number Diff line
@@ -970,6 +970,14 @@ void CameraSource::releaseRecordingFrame(const sp<IMemory>& frame) { 
        }



        if (handle != nullptr) {

            ssize_t offset;

            size_t size;

            sp<IMemoryHeap> heap = frame->getMemory(&offset, &size);

            if (heap->getHeapID() != mMemoryHeapBase->getHeapID()) {

                ALOGE("%s: Mismatched heap ID, ignoring release (got %x, expected %x)",

		     __FUNCTION__, heap->getHeapID(), mMemoryHeapBase->getHeapID());

                return;

            }

            uint32_t batchSize = 0;

            {

                Mutex::Autolock autoLock(mBatchLock);