From 1684c3f930b2a27884037bc38856477b80cddd50 Mon Sep 17 00:00:00 2001 From: Laurent Pinchart Date: Mon, 28 Jun 2021 09:41:27 +0300 Subject: android: camera_device: Fix null pointer dereference Commit 7532caa2c77b ("android: camera_device: Reset config_ if Camera::configure() fails") reworked the configuration sequence to ensure that the CameraConfiguration pointers gets reset when configuration fails. This inadvertently causes a null pointer dereference, as the CameraStream constructor accesses the camera configuration through CameraDevice::cameraConfiguration() before the internal config_ pointer is set. Fix this by passing the configuration pointer explicitly to the CameraStream constructor. Fixes: 7532caa2c77b ("android: camera_device: Reset config_ if Camera::configure() fails") Signed-off-by: Laurent Pinchart Reviewed-by: Paul Elder Tested-by: Paul Elder Reviewed-by: Umang Jain Tested-by: Umang Jain Reviewed-by: Hirokazu Honda --- src/android/camera_device.cpp | 4 ++-- src/android/camera_device.h | 4 ---- src/android/camera_stream.cpp | 6 +++--- src/android/camera_stream.h | 3 ++- 4 files changed, 7 insertions(+), 10 deletions(-) (limited to 'src') diff --git a/src/android/camera_device.cpp b/src/android/camera_device.cpp index 13ee5fab..678cde23 100644 --- a/src/android/camera_device.cpp +++ b/src/android/camera_device.cpp @@ -682,8 +682,8 @@ int CameraDevice::configureStreams(camera3_stream_configuration_t *stream_list) config->addConfiguration(streamConfig.config); for (auto &stream : streamConfig.streams) { - streams_.emplace_back(this, stream.type, stream.stream, - config->size() - 1); + streams_.emplace_back(this, config.get(), stream.type, + stream.stream, config->size() - 1); stream.stream->priv = static_cast(&streams_.back()); } } diff --git a/src/android/camera_device.h b/src/android/camera_device.h index 18cf5118..3361918d 100644 --- a/src/android/camera_device.h +++ b/src/android/camera_device.h @@ -48,10 +48,6 @@ public: unsigned int id() const { return id_; } camera3_device_t *camera3Device() { return &camera3Device_; } const std::shared_ptr &camera() const { return camera_; } - libcamera::CameraConfiguration *cameraConfiguration() const - { - return config_.get(); - } const std::string &maker() const { return maker_; } const std::string &model() const { return model_; } diff --git a/src/android/camera_stream.cpp b/src/android/camera_stream.cpp index b2f03b50..bf4a7b41 100644 --- a/src/android/camera_stream.cpp +++ b/src/android/camera_stream.cpp @@ -39,10 +39,10 @@ LOG_DECLARE_CATEGORY(HAL) * and buffer allocation. */ -CameraStream::CameraStream(CameraDevice *const cameraDevice, Type type, +CameraStream::CameraStream(CameraDevice *const cameraDevice, + CameraConfiguration *config, Type type, camera3_stream_t *camera3Stream, unsigned int index) - : cameraDevice_(cameraDevice), - config_(cameraDevice->cameraConfiguration()), type_(type), + : cameraDevice_(cameraDevice), config_(config), type_(type), camera3Stream_(camera3Stream), index_(index) { if (type_ == Type::Internal || type_ == Type::Mapped) { diff --git a/src/android/camera_stream.h b/src/android/camera_stream.h index 34016722..8ecc6e34 100644 --- a/src/android/camera_stream.h +++ b/src/android/camera_stream.h @@ -110,7 +110,8 @@ public: Internal, Mapped, }; - CameraStream(CameraDevice *const cameraDevice, Type type, + CameraStream(CameraDevice *const cameraDevice, + libcamera::CameraConfiguration *config, Type type, camera3_stream_t *camera3Stream, unsigned int index); Type type() const { return type_; } -- cgit v1.2.1