commit 192ee8310b106e4370dbc84727c961002a3ec816
author Emilian Peev <epeev@google.com> Wed Jan 31 14:46:47 2018 +0000
committer Emilian Peev <epeev@google.com> Fri Feb 02 14:05:37 2018 +0000
tree b6719d1d75821cf0ad33eb8ee3bb62c3b4637c9c
parent 7cd0df204b6ab69d56510b53556388527c212ea7

Camera: Avoid 'outputBufferSizes' out-of-bounds access

Hal interface stream configuration will iterate over all
available streams both input and output. However the
'outputBufferSizes' vector includes only buffer sizes for
output streams. If we have an input stream, then an invalid
memory access is possible. Resolve this by allocating enough
'outputBufferSizes' entries.

Bug: 72736744
Test: Camera CTS
Change-Id: I6973f1fbf499628437b7523aab6bf13c88015448

services/camera/libcameraservice/device3/Camera3Device.cpp

diff --git a/services/camera/libcameraservice/device3/Camera3Device.cpp b/services/camera/libcameraservice/device3/Camera3Device.cpp
index 9ba8bb7..324201b 100644
--- a/services/camera/libcameraservice/device3/Camera3Device.cpp
+++ b/services/camera/libcameraservice/device3/Camera3Device.cpp
@@ -2400,7 +2400,7 @@
 
     Vector<camera3_stream_t*> streams;
     streams.setCapacity(config.num_streams);
-    std::vector<uint32_t> outBufSizes(mOutputStreams.size(), 0);
+    std::vector<uint32_t> bufferSizes(config.num_streams, 0);
 
 
     if (mInputStream != NULL) {
@@ -2435,7 +2435,9 @@
 
         if (outputStream->format == HAL_PIXEL_FORMAT_BLOB &&
                 outputStream->data_space == HAL_DATASPACE_V0_JFIF) {
-            outBufSizes[i] = static_cast<uint32_t>(
+            size_t k = i + ((mInputStream != nullptr) ? 1 : 0); // Input stream if present should
+                                                                // always occupy the initial entry.
+            bufferSizes[k] = static_cast<uint32_t>(
                     getJpegBufferSize(outputStream->width, outputStream->height));
         }
     }
@@ -2446,7 +2448,7 @@
     // max_buffers, usage, priv fields.
 
     const camera_metadata_t *sessionBuffer = sessionParams.getAndLock();
-    res = mInterface->configureStreams(sessionBuffer, &config, outBufSizes);
+    res = mInterface->configureStreams(sessionBuffer, &config, bufferSizes);
     sessionParams.unlock(sessionBuffer);
 
     if (res == BAD_VALUE) {
@@ -3504,7 +3506,7 @@
 }
 
 status_t Camera3Device::HalInterface::configureStreams(const camera_metadata_t *sessionParams,
-        camera3_stream_configuration *config, const std::vector<uint32_t>& outputBufferSizes) {
+        camera3_stream_configuration *config, const std::vector<uint32_t>& bufferSizes) {
     ATRACE_NAME("CameraHal::configureStreams");
     if (!valid()) return INVALID_OPERATION;
     status_t res = OK;
@@ -3545,7 +3547,7 @@
         dst3_2.dataSpace = mapToHidlDataspace(src->data_space);
         dst3_2.rotation = mapToStreamRotation((camera3_stream_rotation_t) src->rotation);
         dst3_4.v3_2 = dst3_2;
-        dst3_4.bufferSize = outputBufferSizes[i];
+        dst3_4.bufferSize = bufferSizes[i];
         if (src->physical_camera_id != nullptr) {
             dst3_4.physicalCameraId = src->physical_camera_id;
         }