diff options
author | Laurent Pinchart <laurent.pinchart@ideasonboard.com> | 2021-05-15 20:38:55 +0300 |
---|---|---|
committer | Laurent Pinchart <laurent.pinchart@ideasonboard.com> | 2021-05-18 14:45:29 +0300 |
commit | 2a103ba17ef2984dd59a31c1138414c4e0177cb0 (patch) | |
tree | 137185d7034cf25d88156626b9c33c30df856706 | |
parent | d189248302340909407f40a880af8a181dfd6203 (diff) |
android: camera_metadata: Add type sanity check to updateEntry()
The CameraMetadata::updateEntry() functions cast the data pointer to a
void pointer, which is then used internally to call
update_camera_metadata_entry(). If the caller passes a pointer to an
incorrect data type, the behaviour is undefined, with possible crashes
if the incorrect data type is smaller than expected by the Android
metadata library.
To avoid crashes, make all public updateEntry() functions take typed
pointers, and pass the element size to the internal function. The
element size is then checked against the expected size, and an error
message logged if they don't match. This won't catch incorrect data
types that have the same size as the correct type, but will at least
avoid potential crashes.
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Hirokazu Honda <hiroh@chromium.org>
Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
Reviewed-by: Paul Elder <paul.elder@ideasonboard.com>
Tested-by: Paul Elder <paul.elder@ideasonboard.com>
-rw-r--r-- | src/android/camera_metadata.cpp | 11 | ||||
-rw-r--r-- | src/android/camera_metadata.h | 12 |
2 files changed, 19 insertions, 4 deletions
diff --git a/src/android/camera_metadata.cpp b/src/android/camera_metadata.cpp index 59366c50..ebe43ba4 100644 --- a/src/android/camera_metadata.cpp +++ b/src/android/camera_metadata.cpp @@ -137,7 +137,8 @@ bool CameraMetadata::addEntry(uint32_t tag, const void *data, size_t count, return false; } -bool CameraMetadata::updateEntry(uint32_t tag, const void *data, size_t count) +bool CameraMetadata::updateEntry(uint32_t tag, const void *data, size_t count, + size_t elementSize) { if (!valid_) return false; @@ -152,6 +153,14 @@ bool CameraMetadata::updateEntry(uint32_t tag, const void *data, size_t count) return false; } + if (camera_metadata_type_size[entry.type] != elementSize) { + const char *name = get_camera_metadata_tag_name(tag); + LOG(CameraMetadata, Fatal) + << "Invalid element size for tag " + << (name ? name : "<unknown>"); + return false; + } + size_t oldSize = calculate_camera_metadata_entry_data_size(entry.type, entry.count); diff --git a/src/android/camera_metadata.h b/src/android/camera_metadata.h index d7c8d9df..f8f2a0d2 100644 --- a/src/android/camera_metadata.h +++ b/src/android/camera_metadata.h @@ -55,7 +55,7 @@ public: template<typename T> bool updateEntry(uint32_t tag, const T &data) { - return updateEntry(tag, &data, 1); + return updateEntry(tag, &data, 1, sizeof(T)); } template<typename T, size_t size> @@ -68,10 +68,14 @@ public: typename T = typename S::value_type> bool updateEntry(uint32_t tag, const S &data) { - return updateEntry(tag, data.data(), data.size()); + return updateEntry(tag, data.data(), data.size(), sizeof(T)); } - bool updateEntry(uint32_t tag, const void *data, size_t count); + template<typename T> + bool updateEntry(uint32_t tag, const T *data, size_t count) + { + return updateEntry(tag, data, count, sizeof(T)); + } camera_metadata_t *get(); const camera_metadata_t *get() const; @@ -80,6 +84,8 @@ private: bool resize(size_t count, size_t size); bool addEntry(uint32_t tag, const void *data, size_t count, size_t elementSize); + bool updateEntry(uint32_t tag, const void *data, size_t count, + size_t elementSize); camera_metadata_t *metadata_; bool valid_; |