diff options
author | Umang Jain <umang.jain@ideasonboard.com> | 2021-08-19 19:40:48 +0530 |
---|---|---|
committer | Umang Jain <umang.jain@ideasonboard.com> | 2021-08-19 19:56:57 +0530 |
commit | 3558334561ed7712de088b496804ab3cbe1c8cd7 (patch) | |
tree | 372f0558e80461918316c5120f9daf79bc933f46 /src/android/camera_device.h | |
parent | cdb70b5c4012e8bb87d4fe9008f466fab13ef062 (diff) |
libcamera: ipc_pipe: Do not run memcpy with null arguments
IPCMessage::payload() converts the IPCMessage into an IPCUnixSocket
payload. However, if IPCMessage is constructed with one of the
following constructors -
IPCMessage::IPCMessage(),
IPCMessage::IPCMessage(uint32_t cmd)
IPCMessage::IPCMessage(const Header &header)
The data_ vector of IPCMessage is empty and uninitialised. In that
case, IPCMessage::payload will try to memcpy() an empty data_ vector
which can lead to invoking memcpy() with a nullptr parameter, which
is then identified by the address sanity checker.. Add a non-empty
data_ vector check to avoid it.
The issue is noticed by running a test manually, testing the vimc
IPA code paths in isolated mode. It is only noticed when the test
is compiled with -Db_sanitize=address,undefined meson built-in option.
ipc_pipe.cpp:110:8: runtime error: null pointer passed as argument 2, which is declared to never be null
Signed-off-by: Umang Jain <umang.jain@ideasonboard.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Paul Elder <paul.elder@ideasonboard.com>
Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
Diffstat (limited to 'src/android/camera_device.h')
0 files changed, 0 insertions, 0 deletions