Camera: Resize the output slot vector when needed
The output slot vector will be initialized with the total number of
buffers per output and any buffers that get attached are indexed via
the returned slot value. However there is no guarantee that the slot
will be within the [0, totalNumberOfBuffers) range. The bufffer queue
can return anything from [0, BufferQueue::NUM_BUFFER_SLOTS) and this
can result in invalid memory operations and potential instabilities.
The resolve this validate the slot value and resize the output slot
vector accordingly.
Bug: 74828453
Test: Camera CTS
Change-Id: I20502000a5c278eb9a81600282d1fad98455a2c4
diff --git a/services/camera/libcameraservice/device3/Camera3StreamSplitter.cpp b/services/camera/libcameraservice/device3/Camera3StreamSplitter.cpp
index e3bb5dc..f4d5a18 100644
--- a/services/camera/libcameraservice/device3/Camera3StreamSplitter.cpp
+++ b/services/camera/libcameraservice/device3/Camera3StreamSplitter.cpp
@@ -423,12 +423,20 @@
__FUNCTION__, gbp.get(), strerror(-res), res);
return res;
}
+ if ((slot < 0) || (slot > BufferQueue::NUM_BUFFER_SLOTS)) {
+ SP_LOGE("%s: Slot received %d either bigger than expected maximum %d or negative!",
+ __FUNCTION__, slot, BufferQueue::NUM_BUFFER_SLOTS);
+ return BAD_VALUE;
+ }
//During buffer attach 'mMutex' is not held which makes the removal of
//"gbp" possible. Check whether this is the case and continue.
if (mOutputSlots[gbp] == nullptr) {
continue;
}
auto& outputSlots = *mOutputSlots[gbp];
+ if (static_cast<size_t> (slot + 1) > outputSlots.size()) {
+ outputSlots.resize(slot + 1);
+ }
if (outputSlots[slot] != nullptr) {
// If the buffer is attached to a slot which already contains a buffer,
// the previous buffer will be removed from the output queue. Decrement