summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHirokazu Honda <hiroh@chromium.org>2021-04-03 22:37:41 +0900
committerLaurent Pinchart <laurent.pinchart@ideasonboard.com>2021-04-04 01:47:32 +0300
commit90a0430abcfcd578659c184ae293b8af753f9182 (patch)
tree17cc4c86c6566975ac731531e454660c28c2d95c
parent7633a2d24d86554ef3586a7adad02f81555f4440 (diff)
android: CameraDevice: Add more camera3_capture_request validation
This adds more validation to camera3_capture_request mainly about buffer_handle values. Signed-off-by: Hirokazu Honda <hiroh@chromium.org> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
-rw-r--r--src/android/camera_device.cpp29
1 files changed, 28 insertions, 1 deletions
diff --git a/src/android/camera_device.cpp b/src/android/camera_device.cpp
index b45e7884..6bee49a5 100644
--- a/src/android/camera_device.cpp
+++ b/src/android/camera_device.cpp
@@ -263,11 +263,38 @@ bool isValidRequest(camera3_capture_request_t *camera3Request)
return false;
}
- if (!camera3Request->num_output_buffers) {
+ if (!camera3Request->num_output_buffers ||
+ !camera3Request->output_buffers) {
LOG(HAL, Error) << "No output buffers provided";
return false;
}
+ for (uint32_t i = 0; i < camera3Request->num_output_buffers; i++) {
+ const camera3_stream_buffer_t &outputBuffer =
+ camera3Request->output_buffers[i];
+ if (!outputBuffer.buffer || !(*outputBuffer.buffer)) {
+ LOG(HAL, Error) << "Invalid native handle";
+ return false;
+ }
+
+ const native_handle_t *handle = *outputBuffer.buffer;
+ constexpr int kNativeHandleMaxFds = 1024;
+ if (handle->numFds < 0 || handle->numFds > kNativeHandleMaxFds) {
+ LOG(HAL, Error)
+ << "Invalid number of fds (" << handle->numFds
+ << ") in buffer " << i;
+ return false;
+ }
+
+ constexpr int kNativeHandleMaxInts = 1024;
+ if (handle->numInts < 0 || handle->numInts > kNativeHandleMaxInts) {
+ LOG(HAL, Error)
+ << "Invalid number of ints (" << handle->numInts
+ << ") in buffer " << i;
+ return false;
+ }
+ }
+
return true;
}