From 3558334561ed7712de088b496804ab3cbe1c8cd7 Mon Sep 17 00:00:00 2001 From: Umang Jain Date: Thu, 19 Aug 2021 19:40:48 +0530 Subject: libcamera: ipc_pipe: Do not run memcpy with null arguments IPCMessage::payload() converts the IPCMessage into an IPCUnixSocket payload. However, if IPCMessage is constructed with one of the following constructors - IPCMessage::IPCMessage(), IPCMessage::IPCMessage(uint32_t cmd) IPCMessage::IPCMessage(const Header &header) The data_ vector of IPCMessage is empty and uninitialised. In that case, IPCMessage::payload will try to memcpy() an empty data_ vector which can lead to invoking memcpy() with a nullptr parameter, which is then identified by the address sanity checker.. Add a non-empty data_ vector check to avoid it. The issue is noticed by running a test manually, testing the vimc IPA code paths in isolated mode. It is only noticed when the test is compiled with -Db_sanitize=address,undefined meson built-in option. ipc_pipe.cpp:110:8: runtime error: null pointer passed as argument 2, which is declared to never be null Signed-off-by: Umang Jain Reviewed-by: Laurent Pinchart Reviewed-by: Paul Elder Reviewed-by: Kieran Bingham --- src/libcamera/ipc_pipe.cpp | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/libcamera/ipc_pipe.cpp b/src/libcamera/ipc_pipe.cpp index 84136a82..ad870fd4 100644 --- a/src/libcamera/ipc_pipe.cpp +++ b/src/libcamera/ipc_pipe.cpp @@ -106,8 +106,11 @@ IPCUnixSocket::Payload IPCMessage::payload() const memcpy(payload.data.data(), &header_, sizeof(Header)); - /* \todo Make this work without copy */ - memcpy(payload.data.data() + sizeof(Header), data_.data(), data_.size()); + if (data_.size() > 0) { + /* \todo Make this work without copy */ + memcpy(payload.data.data() + sizeof(Header), + data_.data(), data_.size()); + } for (const FileDescriptor &fd : fds_) payload.fds.push_back(fd.fd()); -- cgit v1.2.1