DO NOT MERGE: Camera: Adjust pointers to ANW buffers to avoid infoleak
Subtract address of a random static object from pointers being routed
through app process.
Bug: 28466701
Change-Id: Idcbfe81e9507433769672f3dc6d67db5eeed4e04
diff --git a/camera/ICameraRecordingProxy.cpp b/camera/ICameraRecordingProxy.cpp
index 7223b6d..16a3d02 100644
--- a/camera/ICameraRecordingProxy.cpp
+++ b/camera/ICameraRecordingProxy.cpp
@@ -31,6 +31,11 @@
RELEASE_RECORDING_FRAME,
};
+uint8_t ICameraRecordingProxy::baseObject = 0;
+
+size_t ICameraRecordingProxy::getCommonBaseAddress() {
+ return (size_t)&baseObject;
+}
class BpCameraRecordingProxy: public BpInterface<ICameraRecordingProxy>
{
@@ -106,4 +111,3 @@
// ----------------------------------------------------------------------------
}; // namespace android
-
diff --git a/include/camera/ICameraRecordingProxy.h b/include/camera/ICameraRecordingProxy.h
index 2aac284..4edf9cd 100644
--- a/include/camera/ICameraRecordingProxy.h
+++ b/include/camera/ICameraRecordingProxy.h
@@ -83,6 +83,12 @@
virtual status_t startRecording(const sp<ICameraRecordingProxyListener>& listener) = 0;
virtual void stopRecording() = 0;
virtual void releaseRecordingFrame(const sp<IMemory>& mem) = 0;
+
+ // b/28466701
+ static size_t getCommonBaseAddress();
+ private:
+
+ static uint8_t baseObject;
};
// ----------------------------------------------------------------------------
diff --git a/include/media/stagefright/CameraSource.h b/include/media/stagefright/CameraSource.h
index dd0a106..cc46801 100644
--- a/include/media/stagefright/CameraSource.h
+++ b/include/media/stagefright/CameraSource.h
@@ -234,6 +234,9 @@
status_t checkFrameRate(const CameraParameters& params,
int32_t frameRate);
+ static void adjustIncomingANWBuffer(IMemory* data);
+ static void adjustOutgoingANWBuffer(IMemory* data);
+
void stopCameraRecording();
status_t reset();
diff --git a/media/libstagefright/CameraSource.cpp b/media/libstagefright/CameraSource.cpp
index f76aed6..7d2e0a4 100644
--- a/media/libstagefright/CameraSource.cpp
+++ b/media/libstagefright/CameraSource.cpp
@@ -27,8 +27,10 @@
#include <media/stagefright/MediaDefs.h>
#include <media/stagefright/MediaErrors.h>
#include <media/stagefright/MetaData.h>
+#include <media/hardware/HardwareAPI.h>
#include <camera/Camera.h>
#include <camera/CameraParameters.h>
+#include <camera/ICameraRecordingProxy.h>
#include <gui/Surface.h>
#include <utils/String8.h>
#include <cutils/properties.h>
@@ -770,6 +772,8 @@
List<sp<IMemory> >::iterator it;
while (!mFramesReceived.empty()) {
it = mFramesReceived.begin();
+ // b/28466701
+ adjustOutgoingANWBuffer(it->get());
releaseRecordingFrame(*it);
mFramesReceived.erase(it);
++mNumFramesDropped;
@@ -790,6 +794,9 @@
for (List<sp<IMemory> >::iterator it = mFramesBeingEncoded.begin();
it != mFramesBeingEncoded.end(); ++it) {
if ((*it)->pointer() == buffer->data()) {
+ // b/28466701
+ adjustOutgoingANWBuffer(it->get());
+
releaseOneRecordingFrame((*it));
mFramesBeingEncoded.erase(it);
++mNumFramesEncoded;
@@ -890,6 +897,10 @@
++mNumFramesReceived;
CHECK(data != NULL && data->size() > 0);
+
+ // b/28466701
+ adjustIncomingANWBuffer(data.get());
+
mFramesReceived.push_back(data);
int64_t timeUs = mStartTimeUs + (timestampUs - mFirstFrameTimeUs);
mFrameTimes.push_back(timeUs);
@@ -903,6 +914,26 @@
return mIsMetaDataStoredInVideoBuffers;
}
+void CameraSource::adjustIncomingANWBuffer(IMemory* data) {
+ uint8_t *payload =
+ reinterpret_cast<uint8_t*>(data->pointer());
+ if (*(uint32_t*)payload == kMetadataBufferTypeGrallocSource) {
+ buffer_handle_t* pBuffer = (buffer_handle_t*)(payload + 4);
+ *pBuffer = (buffer_handle_t)((uint8_t*)(*pBuffer) +
+ ICameraRecordingProxy::getCommonBaseAddress());
+ }
+}
+
+void CameraSource::adjustOutgoingANWBuffer(IMemory* data) {
+ uint8_t *payload =
+ reinterpret_cast<uint8_t*>(data->pointer());
+ if (*(uint32_t*)payload == kMetadataBufferTypeGrallocSource) {
+ buffer_handle_t* pBuffer = (buffer_handle_t*)(payload + 4);
+ *pBuffer = (buffer_handle_t)((uint8_t*)(*pBuffer) -
+ ICameraRecordingProxy::getCommonBaseAddress());
+ }
+}
+
CameraSource::ProxyListener::ProxyListener(const sp<CameraSource>& source) {
mSource = source;
}
diff --git a/services/camera/libcameraservice/api1/client2/StreamingProcessor.cpp b/services/camera/libcameraservice/api1/client2/StreamingProcessor.cpp
index 9e7fff8..37df24d 100644
--- a/services/camera/libcameraservice/api1/client2/StreamingProcessor.cpp
+++ b/services/camera/libcameraservice/api1/client2/StreamingProcessor.cpp
@@ -29,6 +29,7 @@
#include <utils/Trace.h>
#include <gui/Surface.h>
#include <media/hardware/MetadataBufferType.h>
+#include <camera/ICameraRecordingProxy.h>
#include "common/CameraDeviceBase.h"
#include "api1/Camera2Client.h"
@@ -768,7 +769,10 @@
uint8_t *data = (uint8_t*)heap->getBase() + offset;
uint32_t type = kMetadataBufferTypeGrallocSource;
*((uint32_t*)data) = type;
- *((buffer_handle_t*)(data + 4)) = imgBuffer.mGraphicBuffer->handle;
+ buffer_handle_t* pBuffer = (buffer_handle_t*)(data + 4);
+ *pBuffer = (buffer_handle_t)(
+ (uint8_t*)imgBuffer.mGraphicBuffer->handle -
+ ICameraRecordingProxy::getCommonBaseAddress());
ALOGVV("%s: Camera %d: Sending out buffer_handle_t %p",
__FUNCTION__, mId,
imgBuffer.mGraphicBuffer->handle);
@@ -814,8 +818,10 @@
}
// Release the buffer back to the recording queue
-
- buffer_handle_t imgHandle = *(buffer_handle_t*)(data + 4);
+ // b/28466701
+ buffer_handle_t* pBuffer = (buffer_handle_t*)(data + 4);
+ buffer_handle_t imgHandle = (buffer_handle_t)((uint8_t*)(*pBuffer) +
+ ICameraRecordingProxy::getCommonBaseAddress());
size_t itemIndex;
for (itemIndex = 0; itemIndex < mRecordingBuffers.size(); itemIndex++) {