Fix security vulnerability: potential OOB write in audioserver am: e275907e57 am: 01e854056a am: 3e8ab60b7f am: 9161586309 am: ad29b47d91 am: 8b9b199891 am: 72729c449d am: 97bb7fe084 am: 3d6aada999 am: ffe82a3b4a am: ec601622f8 am: f50635bdc4
am: f1e829a54e
Change-Id: I71c6e9e07cbaa40dd4ac535ff43813d8cfa44a30
diff --git a/camera/CameraBase.cpp b/camera/CameraBase.cpp
index 15d7715..194e1d3 100644
--- a/camera/CameraBase.cpp
+++ b/camera/CameraBase.cpp
@@ -20,6 +20,7 @@
#include <utils/Log.h>
#include <utils/threads.h>
#include <utils/Mutex.h>
+#include <cutils/properties.h>
#include <android/hardware/ICameraService.h>
@@ -90,6 +91,12 @@
{
Mutex::Autolock _l(gLock);
if (gCameraService.get() == 0) {
+ char value[PROPERTY_VALUE_MAX];
+ property_get("config.disable_cameraservice", value, "0");
+ if (strncmp(value, "0", 2) != 0 && strncasecmp(value, "false", 6) != 0) {
+ return gCameraService;
+ }
+
sp<IServiceManager> sm = defaultServiceManager();
sp<IBinder> binder;
do {
diff --git a/camera/ndk/impl/ACameraManager.cpp b/camera/ndk/impl/ACameraManager.cpp
index 26d6679..35555ff 100644
--- a/camera/ndk/impl/ACameraManager.cpp
+++ b/camera/ndk/impl/ACameraManager.cpp
@@ -22,6 +22,7 @@
#include "ACameraMetadata.h"
#include "ACameraDevice.h"
#include <utils/Vector.h>
+#include <cutils/properties.h>
#include <stdlib.h>
#include <camera/VendorTagDescriptor.h>
@@ -71,9 +72,19 @@
mCameraService.clear();
}
+static bool isCameraServiceDisabled() {
+ char value[PROPERTY_VALUE_MAX];
+ property_get("config.disable_cameraservice", value, "0");
+ return (strncmp(value, "0", 2) != 0 && strncasecmp(value, "false", 6) != 0);
+}
+
sp<hardware::ICameraService> CameraManagerGlobal::getCameraService() {
Mutex::Autolock _l(mLock);
if (mCameraService.get() == nullptr) {
+ if (isCameraServiceDisabled()) {
+ return mCameraService;
+ }
+
sp<IServiceManager> sm = defaultServiceManager();
sp<IBinder> binder;
do {
@@ -302,6 +313,13 @@
camera_status_t
ACameraManager::getOrCreateCameraIdListLocked(ACameraIdList** cameraIdList) {
if (mCachedCameraIdList.numCameras == kCameraIdListNotInit) {
+ if (isCameraServiceDisabled()) {
+ mCachedCameraIdList.numCameras = 0;
+ mCachedCameraIdList.cameraIds = new const char*[0];
+ *cameraIdList = &mCachedCameraIdList;
+ return ACAMERA_OK;
+ }
+
int numCameras = 0;
Vector<char *> cameraIds;
sp<hardware::ICameraService> cs = CameraManagerGlobal::getInstance().getCameraService();
diff --git a/media/libmediaplayerservice/MediaRecorderClient.cpp b/media/libmediaplayerservice/MediaRecorderClient.cpp
index d011d70..003418b 100644
--- a/media/libmediaplayerservice/MediaRecorderClient.cpp
+++ b/media/libmediaplayerservice/MediaRecorderClient.cpp
@@ -369,9 +369,13 @@
sp<IServiceManager> sm = defaultServiceManager();
sp<IBinder> binder = sm->getService(String16("media.camera"));
- mCameraDeathListener = new ServiceDeathNotifier(binder, listener,
- MediaPlayerService::CAMERA_PROCESS_DEATH);
- binder->linkToDeath(mCameraDeathListener);
+
+ // If the device does not have a camera, do not create a death listener for it.
+ if (binder != NULL) {
+ mCameraDeathListener = new ServiceDeathNotifier(binder, listener,
+ MediaPlayerService::CAMERA_PROCESS_DEATH);
+ binder->linkToDeath(mCameraDeathListener);
+ }
binder = sm->getService(String16("media.codec"));
mCodecDeathListener = new ServiceDeathNotifier(binder, listener,