Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e779e089 authored by Ray Essick's avatar Ray Essick
Browse files

DO NOT MERGE Check frame handle validity before freeing buffer. 

in CameraSource::releaseRecordingFrame(), validate the
VideoNativeHandleMetadata field when received. Avoid releasing invalid
handles (and thus invalid memory) if this has been corrupted in user space.

Bug: 37662122
Test: poc before/after on nyc-mr2
Change-Id: If48c050a5c20552604a90f19130ad5837e80bf52
parent 9d31e500

media/libstagefright/CameraSource.cpp

+8 −0
Original line number Diff line number Diff line
@@ -950,6 +950,14 @@ void CameraSource::releaseRecordingFrame(const sp<IMemory>& frame) { 


        if (handle != nullptr) {

            // Frame contains a VideoNativeHandleMetadata. Send the handle back to camera.

            ssize_t offset;

            size_t size;

            sp<IMemoryHeap> heap = frame->getMemory(&offset, &size);

            if (heap->getHeapID() != mMemoryHeapBase->getHeapID()) {

                ALOGE("%s: Mismatched heap ID, ignoring release (got %x, expected %x)",

		     __FUNCTION__, heap->getHeapID(), mMemoryHeapBase->getHeapID());

                return;

            }

            releaseRecordingFrameHandle(handle);

            mMemoryBases.push_back(frame);

            mMemoryBaseAvailableCond.signal();