commit d047631c3c56a37176c079e1b5d1cc07da36a055
author Cliff Wu <cliffwu@google.com> Tue Jul 27 20:15:55 2021 +0800
committer Cliff Wu <cliffwu@google.com> Thu Jul 29 17:00:08 2021 +0800
tree 91ec84f210814980cb260510a0660b560d42657e
parent 35f60d2552861d19e62fabdba16d895c332675d5

Fix the crash of deallocate caused by delete array error on storeInjectionConfig()

Root cause: Because mInjectionConfig is plain old data, it's not get
initialized to 0. In this case, if we use the delete[] method to
delete mInjectionConfig.streams, a deallocation crash may occur.

Solution: A new vector member variable is added to store the stream
of the internal camera, replacing the original new/delete[] method
for storing the stream to avoid another deallocation crash caused by
uninitialized mInjectionConfig.

Bug: 194700088
Test: Manual
Change-Id: Ic3d825fce7b6fefea65e7ce27072ed32f275d4bb

services/camera/libcameraservice/device3/Camera3DeviceInjectionMethods.cpp

diff --git a/services/camera/libcameraservice/device3/Camera3DeviceInjectionMethods.cpp b/services/camera/libcameraservice/device3/Camera3DeviceInjectionMethods.cpp
index 7026934..4744a6d 100644
--- a/services/camera/libcameraservice/device3/Camera3DeviceInjectionMethods.cpp
+++ b/services/camera/libcameraservice/device3/Camera3DeviceInjectionMethods.cpp
@@ -193,11 +193,6 @@
 
 status_t Camera3Device::Camera3DeviceInjectionMethods::stopInjection() {
     status_t res = NO_ERROR;
-    mIsStreamConfigCompleteButNotInjected = false;
-    if (mInjectionConfig.streams != nullptr) {
-        delete [] mInjectionConfig.streams;
-        mInjectionConfig.streams = nullptr;
-    }
 
     sp<Camera3Device> parent = mParent.promote();
     if (parent == nullptr) {
@@ -269,16 +264,12 @@
         const camera3::camera_stream_configuration& injectionConfig,
         const std::vector<uint32_t>& injectionBufferSizes) {
     mIsStreamConfigCompleteButNotInjected = true;
-    if (mInjectionConfig.streams != nullptr) {
-        delete [] mInjectionConfig.streams;
-        mInjectionConfig.streams = nullptr;
-    }
     mInjectionConfig = injectionConfig;
-    mInjectionConfig.streams =
-        (android::camera3::camera_stream_t **) new camera_stream_t*[injectionConfig.num_streams];
+    mInjectionStreams.clear();
     for (size_t i = 0; i < injectionConfig.num_streams; i++) {
-        mInjectionConfig.streams[i] = injectionConfig.streams[i];
+        mInjectionStreams.push_back(injectionConfig.streams[i]);
     }
+    mInjectionConfig.streams = mInjectionStreams.editArray();
     mInjectionBufferSizes = injectionBufferSizes;
 }
 
@@ -359,6 +350,9 @@
 void Camera3Device::Camera3DeviceInjectionMethods::injectionDisconnectImpl() {
     ATRACE_CALL();
     ALOGI("%s: Injection camera disconnect", __FUNCTION__);
+    mIsStreamConfigCompleteButNotInjected = false;
+    mInjectionStreams.clear();
+    mInjectionConfig.streams = nullptr;
 
     mBackupHalInterface = nullptr;
     HalInterface* interface = nullptr;