Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d047631c authored by Cliff Wu's avatar Cliff Wu
Browse files

Fix the crash of deallocate caused by delete array error on storeInjectionConfig() 

Root cause: Because mInjectionConfig is plain old data, it's not get
initialized to 0. In this case, if we use the delete[] method to
delete mInjectionConfig.streams, a deallocation crash may occur.

Solution: A new vector member variable is added to store the stream
of the internal camera, replacing the original new/delete[] method
for storing the stream to avoid another deallocation crash caused by
uninitialized mInjectionConfig.

Bug: 194700088
Test: Manual
Change-Id: Ic3d825fce7b6fefea65e7ce27072ed32f275d4bb
parent 35f60d25

services/camera/libcameraservice/device3/Camera3Device.h

+3 −0
Original line number Diff line number Diff line
@@ -1420,6 +1420,9 @@ class Camera3Device : 
        // Copy the configuration of the internal camera.

        camera3::camera_stream_configuration mInjectionConfig;



        // Copy the streams of the internal camera.

        Vector<camera3::camera_stream_t*> mInjectionStreams;



        // Copy the bufferSizes of the output streams of the internal camera.

        std::vector<uint32_t> mInjectionBufferSizes;

services/camera/libcameraservice/device3/Camera3DeviceInjectionMethods.cpp

+6 −12
Original line number Diff line number Diff line
@@ -193,11 +193,6 @@ status_t Camera3Device::Camera3DeviceInjectionMethods::injectCamera( 


status_t Camera3Device::Camera3DeviceInjectionMethods::stopInjection() {

    status_t res = NO_ERROR;

    mIsStreamConfigCompleteButNotInjected = false;

    if (mInjectionConfig.streams != nullptr) {

        delete [] mInjectionConfig.streams;

        mInjectionConfig.streams = nullptr;

    }



    sp<Camera3Device> parent = mParent.promote();

    if (parent == nullptr) {
@@ -269,16 +264,12 @@ void Camera3Device::Camera3DeviceInjectionMethods::storeInjectionConfig( 
        const camera3::camera_stream_configuration& injectionConfig,

        const std::vector<uint32_t>& injectionBufferSizes) {

    mIsStreamConfigCompleteButNotInjected = true;

    if (mInjectionConfig.streams != nullptr) {

        delete [] mInjectionConfig.streams;

        mInjectionConfig.streams = nullptr;

    }

    mInjectionConfig = injectionConfig;

    mInjectionConfig.streams =

        (android::camera3::camera_stream_t **) new camera_stream_t*[injectionConfig.num_streams];

    mInjectionStreams.clear();

    for (size_t i = 0; i < injectionConfig.num_streams; i++) {

        mInjectionConfig.streams[i] = injectionConfig.streams[i];

        mInjectionStreams.push_back(injectionConfig.streams[i]);

    }

    mInjectionConfig.streams = mInjectionStreams.editArray();

    mInjectionBufferSizes = injectionBufferSizes;

}
@@ -359,6 +350,9 @@ status_t Camera3Device::Camera3DeviceInjectionMethods::injectionConfigureStreams 
void Camera3Device::Camera3DeviceInjectionMethods::injectionDisconnectImpl() {

    ATRACE_CALL();

    ALOGI("%s: Injection camera disconnect", __FUNCTION__);

    mIsStreamConfigCompleteButNotInjected = false;

    mInjectionStreams.clear();

    mInjectionConfig.streams = nullptr;



    mBackupHalInterface = nullptr;

    HalInterface* interface = nullptr;