libcamera: ipc_pipe: Do not run memcpy with null arguments

IPCMessage::payload() converts the IPCMessage into an IPCUnixSocket
payload. However, if IPCMessage is constructed with one of the
following constructors -

	IPCMessage::IPCMessage(),
	IPCMessage::IPCMessage(uint32_t cmd)
	IPCMessage::IPCMessage(const Header &header)

The data_ vector of IPCMessage is empty and uninitialised. In that
case, IPCMessage::payload will try to memcpy() an empty data_ vector
which can lead to invoking memcpy() with a nullptr parameter, which
is then identified by the address sanity checker.. Add a non-empty
data_ vector check to avoid it.

The issue is noticed by running a test manually, testing the vimc
IPA code paths in isolated mode. It is only noticed when the test
is compiled with -Db_sanitize=address,undefined meson built-in option.

ipc_pipe.cpp:110:8: runtime error: null pointer passed as argument 2, which is declared to never be null

Signed-off-by: Umang Jain <umang.jain@ideasonboard.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Paul Elder <paul.elder@ideasonboard.com>
Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com>

1 files changed, 5 insertions, 2 deletions

diff --git a/src/libcamera/ipc_pipe.cpp b/src/libcamera/ipc_pipe.cpp
index 84136a82..ad870fd4 100644
--- a/src/libcamera/ipc_pipe.cpp
+++ b/src/libcamera/ipc_pipe.cpp
@@ -106,8 +106,11 @@ IPCUnixSocket::Payload IPCMessage::payload() const
 
 	memcpy(payload.data.data(), &header_, sizeof(Header));
 
-	/* \todo Make this work without copy */
-	memcpy(payload.data.data() + sizeof(Header), data_.data(), data_.size());
+	if (data_.size() > 0) {
+		/* \todo Make this work without copy */
+		memcpy(payload.data.data() + sizeof(Header),
+		       data_.data(), data_.size());
+	}
 
 	for (const FileDescriptor &fd : fds_)
 		payload.fds.push_back(fd.fd());