libcamera2ndk_vendor: Fix potential use after free of camera_metadata_t
Bug: 131566406
Test: Use libcamera2ndk_vendor multiple times without seeing logs /
assertions indicating null metadata / corrupted metadata in
allocateACaptureRequest.
Change-Id: I2154a83bb97a4dd945f15328769b811e9485a0ac
Signed-off-by: Jayant Chowdhary <jchowdhary@google.com>
diff --git a/camera/ndk/ndk_vendor/impl/ACameraDevice.cpp b/camera/ndk/ndk_vendor/impl/ACameraDevice.cpp
index 1fdff40..b7a995d 100644
--- a/camera/ndk/ndk_vendor/impl/ACameraDevice.cpp
+++ b/camera/ndk/ndk_vendor/impl/ACameraDevice.cpp
@@ -262,12 +262,12 @@
void CameraDevice::addRequestSettingsMetadata(ACaptureRequest *aCaptureRequest,
sp<CaptureRequest> &req) {
CameraMetadata metadataCopy = aCaptureRequest->settings->getInternalData();
- const camera_metadata_t *camera_metadata = metadataCopy.getAndLock();
+ camera_metadata_t *camera_metadata = metadataCopy.release();
HCameraMetadata hCameraMetadata;
- utils::convertToHidl(camera_metadata, &hCameraMetadata);
- metadataCopy.unlock(camera_metadata);
+ utils::convertToHidl(camera_metadata, &hCameraMetadata, true);
req->mPhysicalCameraSettings.resize(1);
req->mPhysicalCameraSettings[0].settings.metadata(std::move(hCameraMetadata));
+ req->mPhysicalCameraSettings[0].id = getId();
}
camera_status_t CameraDevice::updateOutputConfigurationLocked(ACaptureSessionOutput *output) {
@@ -398,10 +398,9 @@
cameraSettings.id = id;
// TODO: Do we really need to copy the metadata here ?
CameraMetadata metadataCopy = metadata->getInternalData();
- const camera_metadata_t *cameraMetadata = metadataCopy.getAndLock();
+ camera_metadata_t *cameraMetadata = metadataCopy.release();
HCameraMetadata hCameraMetadata;
- utils::convertToHidl(cameraMetadata, &hCameraMetadata);
- metadataCopy.unlock(cameraMetadata);
+ utils::convertToHidl(cameraMetadata, &hCameraMetadata, true);
if (metadata != nullptr) {
if (hCameraMetadata.data() != nullptr &&
mCaptureRequestMetadataQueue != nullptr &&
@@ -426,11 +425,12 @@
const std::string& id = req->mPhysicalCameraSettings[i].id;
CameraMetadata clone;
utils::convertFromHidlCloned(req->mPhysicalCameraSettings[i].settings.metadata(), &clone);
+ camera_metadata_t *clonep = clone.release();
if (id == deviceId) {
- pRequest->settings = new ACameraMetadata(clone.release(), ACameraMetadata::ACM_REQUEST);
+ pRequest->settings = new ACameraMetadata(clonep, ACameraMetadata::ACM_REQUEST);
} else {
pRequest->physicalSettings[req->mPhysicalCameraSettings[i].id] =
- new ACameraMetadata(clone.release(), ACameraMetadata::ACM_REQUEST);
+ new ACameraMetadata(clonep, ACameraMetadata::ACM_REQUEST);
}
}
pRequest->targets = new ACameraOutputTargets();
diff --git a/camera/ndk/ndk_vendor/impl/utils.cpp b/camera/ndk/ndk_vendor/impl/utils.cpp
index 5d2d47c..e4fb204 100644
--- a/camera/ndk/ndk_vendor/impl/utils.cpp
+++ b/camera/ndk/ndk_vendor/impl/utils.cpp
@@ -64,13 +64,14 @@
return true;
}
-// Note: existing data in dst will be gone. Caller still owns the memory of src
-void convertToHidl(const camera_metadata_t *src, HCameraMetadata* dst) {
+// Note: existing data in dst will be gone. dst owns memory if shouldOwn is set
+// to true.
+void convertToHidl(const camera_metadata_t *src, HCameraMetadata* dst, bool shouldOwn) {
if (src == nullptr) {
return;
}
size_t size = get_camera_metadata_size(src);
- dst->setToExternal((uint8_t *) src, size);
+ dst->setToExternal((uint8_t *) src, size, shouldOwn);
return;
}
diff --git a/camera/ndk/ndk_vendor/impl/utils.h b/camera/ndk/ndk_vendor/impl/utils.h
index a03c7bc..f389f03 100644
--- a/camera/ndk/ndk_vendor/impl/utils.h
+++ b/camera/ndk/ndk_vendor/impl/utils.h
@@ -168,8 +168,8 @@
bool convertFromHidlCloned(const HCameraMetadata &metadata, CameraMetadata *rawMetadata);
-// Note: existing data in dst will be gone. Caller still owns the memory of src
-void convertToHidl(const camera_metadata_t *src, HCameraMetadata* dst);
+// Note: existing data in dst will be gone.
+void convertToHidl(const camera_metadata_t *src, HCameraMetadata* dst, bool shouldOwn = false);
TemplateId convertToHidl(ACameraDevice_request_template templateId);