Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1877b47b authored by Avichal Rakesh's avatar Avichal Rakesh
Browse files

Ensure correct read of jpeg header blob 

When using HIDL HAL, camera service rewrites jpeg header to match
camera3_jpeg_blob_v2 struct. The original buffer might be generated to
use the HIDL header which might have a smaller size and different memory
alignment requirements than camera3_jpeg_blob_v2. CameraServer puts the
header as the very last bytes of the incoming buffer. Since the size and
location of buffer is variable, it is possible that directly reading the
header values from the bufffer fails because of memory alignment
requirements.

This CL uses memcpy to extract the header into the stack to ensure we
don't run into memory alignment errors when reading the header from the
jpeg buffer.

Bug: 233986162
Test: Camera CTS Passes, and verified by partner
Change-Id: I8d7ef872b4c7319349ebd1c5e83707ef4724c744
parent 99945d5d

media/jni/android_media_Utils.cpp

+9 −4
Original line number Diff line number Diff line
@@ -123,10 +123,15 @@ uint32_t Image_getBlobSize(LockedImage* buffer, bool usingRGBAOverride) { 


    // First check for BLOB transport header at the end of the buffer

    uint8_t* header = blobBuffer + (width - sizeof(struct camera3_jpeg_blob_v2));

    struct camera3_jpeg_blob_v2 *blob = (struct camera3_jpeg_blob_v2*)(header);

    if (blob->jpeg_blob_id == CAMERA3_JPEG_BLOB_ID ||

            blob->jpeg_blob_id == CAMERA3_HEIC_BLOB_ID) {

        size = blob->jpeg_size;



    // read camera3_jpeg_blob_v2 from the end of the passed buffer.

    // requires memcpy because 'header' might not be properly aligned.

    struct camera3_jpeg_blob_v2 blob;

    memcpy(&blob, header, sizeof(struct camera3_jpeg_blob_v2));



    if (blob.jpeg_blob_id == CAMERA3_JPEG_BLOB_ID ||

            blob.jpeg_blob_id == CAMERA3_HEIC_BLOB_ID) {

        size = blob.jpeg_size;

        ALOGV("%s: Jpeg/Heic size = %d", __FUNCTION__, size);

    }