commit b861016d9c9ba20f3ca7b5b64800e1e254e75c31
author Avichal Rakesh <arakesh@google.com> Wed Nov 08 18:21:10 2023 -0800
committer Avichal Rakesh <arakesh@google.com> Tue Nov 14 20:52:35 2023 +0000
tree bb0f1241f74942722f208d2e9ed163d150517636
parent 6e7e4e4a785d33cfa1a36b44aa245ae1cc797894

cameraservice: handle invalid native_handle from vndk impl

Cameraservice creates a H2BGraphicBufferProducer from a
native_handle_t. However, for native_handles that don't originate
from AImageReader_getWindowNativeHandle, the conversion returns
a nullptr. If this value is not checked, this results in cameraservice
crashing further down the stack.

This CL add a nullptr check and skips adding the IGBP if the
native_handle is malformed or invalid.

Bug: 309752167
Test: Verified by partner
Change-Id: I2e853f55d32f3cfe2fa51781f4eb87ee3de6607a

services/camera/libcameraservice/hidl/Utils.cpp

diff --git a/services/camera/libcameraservice/hidl/Utils.cpp b/services/camera/libcameraservice/hidl/Utils.cpp
index b5dddf7..d0302d0 100644
--- a/services/camera/libcameraservice/hidl/Utils.cpp
+++ b/services/camera/libcameraservice/hidl/Utils.cpp
@@ -88,7 +88,13 @@
     auto &windowHandles = hOutputConfiguration.windowHandles;
     iGBPs.reserve(windowHandles.size());
     for (auto &handle : windowHandles) {
-        iGBPs.push_back(new H2BGraphicBufferProducer(AImageReader_getHGBPFromHandle(handle)));
+        auto igbp = AImageReader_getHGBPFromHandle(handle);
+        if (igbp == nullptr) {
+            ALOGE("%s: Could not get HGBP from native_handle: %p. Skipping.",
+                    __FUNCTION__, handle.getNativeHandle());
+            continue;
+        }
+        iGBPs.push_back(new H2BGraphicBufferProducer(igbp));
     }
     hardware::camera2::params::OutputConfiguration outputConfiguration(
         iGBPs, convertFromHidl(hOutputConfiguration.rotation),