commit 60afc2fd8dab203a5697adbdb8dd4718d00bd9f1
author Yin-Chia Yeh <yinchiayeh@google.com> Mon Mar 09 14:50:36 2020 -0700
committer Yin-Chia Yeh <yinchiayeh@google.com> Mon Mar 09 22:20:00 2020 +0000
tree 842837bbb7fb0acdbc674fd992faaa73b17d8d54
parent 0b23d9c7e6b7097b3fd104e3713a3914ee0eb579

Camera: fix use after free in sensor timestamp

The metadata object might be overriden later and has it memory
re-allocated; hence snaping the sensor timestamp value before
we call into any method that might change the metadata.

Test: build
Bug: 150944913
Change-Id: I0f944fc9133d3ab279859f20236d956d7ca338f8

services/camera/libcameraservice/device3/Camera3OutputUtils.cpp

diff --git a/services/camera/libcameraservice/device3/Camera3OutputUtils.cpp b/services/camera/libcameraservice/device3/Camera3OutputUtils.cpp
index 238356e..4c8366f 100644
--- a/services/camera/libcameraservice/device3/Camera3OutputUtils.cpp
+++ b/services/camera/libcameraservice/device3/Camera3OutputUtils.cpp
@@ -246,6 +246,8 @@
                 frameNumber);
         return;
     }
+    nsecs_t sensorTimestamp = timestamp.data.i64[0];
+
     for (auto& physicalMetadata : captureResult.mPhysicalMetadatas) {
         camera_metadata_entry timestamp =
                 physicalMetadata.mPhysicalCameraMetadata.find(ANDROID_SENSOR_TIMESTAMP);
@@ -337,7 +339,7 @@
                 CameraMetadata(m.mPhysicalCameraMetadata));
     }
     states.tagMonitor.monitorMetadata(TagMonitor::RESULT,
-            frameNumber, timestamp.data.i64[0], captureResult.mMetadata,
+            frameNumber, sensorTimestamp, captureResult.mMetadata,
             monitoredPhysicalMetadata);
 
     insertResultLocked(states, &captureResult, frameNumber);