Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit cbbd7e06 authored by Yin-Chia Yeh's avatar Yin-Chia Yeh
Browse files

RESTRICT AUTOMERGE: Camera: fix use after free in sensor timestamp 

The metadata object might be overriden later and has it memory
re-allocated; hence snaping the sensor timestamp value before
we call into any method that might change the metadata.

Test: build
Bug: 150944913
Merged-In: I0f944fc9133d3ab279859f20236d956d7ca338f8
Change-Id: I5b10b680e0cce96ca49e1772770adb4835545472
parent 687d14d2

services/camera/libcameraservice/device3/Camera3Device.cpp

+3 −1
Original line number Diff line number Diff line
@@ -3529,6 +3529,8 @@ void Camera3Device::sendCaptureResult(CameraMetadata &pendingMetadata, 
                frameNumber);

        return;

    }

    nsecs_t sensorTimestamp = timestamp.data.i64[0];



    for (auto& physicalMetadata : captureResult.mPhysicalMetadatas) {

        camera_metadata_entry timestamp =

                physicalMetadata.mPhysicalCameraMetadata.find(ANDROID_SENSOR_TIMESTAMP);
@@ -3583,7 +3585,7 @@ void Camera3Device::sendCaptureResult(CameraMetadata &pendingMetadata, 
                CameraMetadata(m.mPhysicalCameraMetadata));

    }

    mTagMonitor.monitorMetadata(TagMonitor::RESULT,

            frameNumber, timestamp.data.i64[0], captureResult.mMetadata,

            frameNumber, sensorTimestamp, captureResult.mMetadata,

            monitoredPhysicalMetadata);



    insertResultLocked(&captureResult, frameNumber);