Gitiles
Code Review Sign In
gerrit.omnirom.org / android_frameworks_base / 06aaf05f00c32f5421ee3c97587055ab45f36d9b^! / .
commit06aaf05f00c32f5421ee3c97587055ab45f36d9b[log] [tgz]
authorKwangkyu Park <kk48.park@samsung.corp-partner.google.com>Wed May 17 14:54:47 2023 +0900
committerEmilian Peev <epeev@google.com>Mon May 22 09:38:40 2023 -0700
treed8942eb42b942282d58afbc603da93fbe7408554
parentecbd3d61dd136c1d4f53509e476c98b800752a7d [diff]
Camera: Address an issue that the invalid memory is accessed

If the ImagePlanes is initiailized the HardwareBuffer and is close()'ed
by finalizer then the invalid memory access to the GraphicBufferWrapper
and GraphicBuffer could be happen.

This patch addressed the issue by properly clearing fields after
being destoyed.

Bug: 283038375
Test: Test extensions proxy service with advanced extender
implementation while maintaining a reference counter so that the
ExtensionImage is finalized without invoking close.

Change-Id: Iab49da708daf0099d029cda6873cb2e811377fbc

diff --git a/graphics/java/android/graphics/GraphicBuffer.java b/graphics/java/android/graphics/GraphicBuffer.java
index f9113a2..6705b25 100644
--- a/graphics/java/android/graphics/GraphicBuffer.java
+++ b/graphics/java/android/graphics/GraphicBuffer.java

@@ -57,7 +57,7 @@
     private final int mUsage;
     // Note: do not rename, this field is used by native code
     @UnsupportedAppUsage(maxTargetSdk = Build.VERSION_CODES.R, trackingBug = 170729553)
-    private final long mNativeObject;
+    private long mNativeObject;
 
     // These two fields are only used by lock/unlockCanvas()
     private Canvas mCanvas;
@@ -219,6 +219,7 @@
         if (!mDestroyed) {
             mDestroyed = true;
             nDestroyGraphicBuffer(mNativeObject);
+            mNativeObject = 0;
         }
     }
 
@@ -239,7 +240,7 @@
     @Override
     protected void finalize() throws Throwable {
         try {
-            if (!mDestroyed) nDestroyGraphicBuffer(mNativeObject);
+            destroy();
         } finally {
             super.finalize();
         }

diff --git a/media/jni/android_media_ImageReader.cpp b/media/jni/android_media_ImageReader.cpp
index ca1bb3e..da2e56f 100644
--- a/media/jni/android_media_ImageReader.cpp
+++ b/media/jni/android_media_ImageReader.cpp

@@ -768,6 +768,7 @@
             android_graphics_GraphicBuffer_getNativeGraphicsBuffer(env, buffer);
     if (graphicBuffer.get() == NULL) {
         jniThrowRuntimeException(env, "Invalid graphic buffer!");
+        return;
     }
 
     status_t res = graphicBuffer->unlock();

diff --git a/packages/services/CameraExtensionsProxy/src/com/android/cameraextensions/CameraExtensionsProxyService.java b/packages/services/CameraExtensionsProxy/src/com/android/cameraextensions/CameraExtensionsProxyService.java
index f31ca81..c2ebddf 100644
--- a/packages/services/CameraExtensionsProxy/src/com/android/cameraextensions/CameraExtensionsProxyService.java
+++ b/packages/services/CameraExtensionsProxy/src/com/android/cameraextensions/CameraExtensionsProxyService.java

@@ -2057,7 +2057,11 @@
             mIsImageValid = false;
 
             if (mGraphicBuffer != null) {
-                ImageReader.unlockGraphicBuffer(mGraphicBuffer);
+                try {
+                    ImageReader.unlockGraphicBuffer(mGraphicBuffer);
+                } catch (RuntimeException e) {
+                    e.printStackTrace();
+                }
                 mGraphicBuffer.destroy();
                 mGraphicBuffer = null;
             }