Gitiles
Code Review Sign In
gerrit.omnirom.org / android_frameworks_av / 1c484a65f1afeec8e4bf2aecbeab9df103f14c85^! / . / services / camera
commit1c484a65f1afeec8e4bf2aecbeab9df103f14c85[log] [tgz]
authorShuzhen Wang <shuzhenwang@google.com>Fri Jul 14 15:14:19 2017 -0700
committerShuzhen Wang <shuzhenwang@google.com>Fri Jul 14 16:27:58 2017 -0700
tree72f0e7680065017a1553f2cc00e60766cefcccd6
parentac31fb897846c6e8c72ade7fa5e4ab3c00bf77c9 [diff]
Camera: Fix "use after free" for mOutstandingBuffers

Fix below use after free issues:

==4947==ERROR: AddressSanitizer: heap-use-after-free on address
0xec61f434 at pc 0xf1954c18 bp 0xed3ff6f0 sp 0xed3ff6e8
READ of size 4 at 0xec61f434 thread T12 (C3Dev-1-ReqQueu)
  #0 0xf1954c17 in _ZN7android7camera313Camera3Stream23removeOutstandingBufferERK21camera3_stream_buffer
  frameworks/av/services/camera/libcameraservice/device3/Camera3Stream.cpp:508
  #1 0xf1954c17 in _ZN7android7camera313Camera3Stream12returnBufferERK21camera3_stream_bufferx
  frameworks/av/services/camera/libcameraservice/device3/Camera3Stream.cpp:543
  #2 0xf193c663 in _ZN7android13Camera3Device13RequestThread21cleanUpFailedRequestsEb
  frameworks/av/services/camera/libcameraservice/device3/Camera3Device.cpp:4131
  #3 0xf193db5b in _ZN7android13Camera3Device13RequestThread10threadLoopEv
  frameworks/av/services/camera/libcameraservice/device3/Camera3Device.cpp:3854
  #4 0xf1562f35 in _ZN7android6Thread11_threadLoopEPv system/core/libutils/Threads.cpp:747
  #5 0xf0ee6947 in _ZL15__pthread_startPv bionic/libc/bionic/pthread_create.cpp:214
  #6 0xf0eba381 in __start_thread bionic/libc/bionic/clone.cpp:47

0xec61f434 is located 68 bytes inside of 136-byte region [0xec61f3f0,0xec61f478)
freed by thread T0 here:
  #7 0xf1a64963 in _ZdlPvSt11align_val_tRKSt9nothrow_t [asan_rtl]
  #8 0xf155df09 in _ZNK7android7RefBase9decStrongEPKv system/core/libutils/RefBase.cpp:435
  #9 0xf19693ab in _ZN7android7camera319Camera3OutputStream22BufferReleasedListener16onBufferReleasedEv
    frameworks/av/services/camera/libcameraservice/device3/Camera3OutputStream.cpp:720
  #3 0x1ff56dfb  (<unknown module>)

Bug: 62218367
Change-Id: Ib03415f73a1e3c283520af752904b1bcc40bff28

diff --git a/services/camera/libcameraservice/device3/Camera3Stream.cpp b/services/camera/libcameraservice/device3/Camera3Stream.cpp
index 9297ac8..6789292 100644
--- a/services/camera/libcameraservice/device3/Camera3Stream.cpp
+++ b/services/camera/libcameraservice/device3/Camera3Stream.cpp

@@ -523,6 +523,8 @@
         return BAD_VALUE;
     }
 
+    removeOutstandingBuffer(buffer);
+
     /**
      * TODO: Check that the state is valid first.
      *
@@ -540,7 +542,6 @@
     // buffer to be returned.
     mOutputBufferReturnedSignal.signal();
 
-    removeOutstandingBuffer(buffer);
     return res;
 }
 
@@ -591,13 +592,14 @@
         return BAD_VALUE;
     }
 
+    removeOutstandingBuffer(buffer);
+
     status_t res = returnInputBufferLocked(buffer);
     if (res == OK) {
         fireBufferListenersLocked(buffer, /*acquired*/false, /*output*/false);
         mInputBufferReturnedSignal.signal();
     }
 
-    removeOutstandingBuffer(buffer);
     return res;
 }