diff options
author | Hirokazu Honda <hiroh@chromium.org> | 2021-04-03 22:37:41 +0900 |
---|---|---|
committer | Laurent Pinchart <laurent.pinchart@ideasonboard.com> | 2021-04-04 01:47:32 +0300 |
commit | 90a0430abcfcd578659c184ae293b8af753f9182 (patch) | |
tree | 17cc4c86c6566975ac731531e454660c28c2d95c | |
parent | 7633a2d24d86554ef3586a7adad02f81555f4440 (diff) |
android: CameraDevice: Add more camera3_capture_request validation
This adds more validation to camera3_capture_request mainly
about buffer_handle values.
Signed-off-by: Hirokazu Honda <hiroh@chromium.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
-rw-r--r-- | src/android/camera_device.cpp | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/src/android/camera_device.cpp b/src/android/camera_device.cpp index b45e7884..6bee49a5 100644 --- a/src/android/camera_device.cpp +++ b/src/android/camera_device.cpp @@ -263,11 +263,38 @@ bool isValidRequest(camera3_capture_request_t *camera3Request) return false; } - if (!camera3Request->num_output_buffers) { + if (!camera3Request->num_output_buffers || + !camera3Request->output_buffers) { LOG(HAL, Error) << "No output buffers provided"; return false; } + for (uint32_t i = 0; i < camera3Request->num_output_buffers; i++) { + const camera3_stream_buffer_t &outputBuffer = + camera3Request->output_buffers[i]; + if (!outputBuffer.buffer || !(*outputBuffer.buffer)) { + LOG(HAL, Error) << "Invalid native handle"; + return false; + } + + const native_handle_t *handle = *outputBuffer.buffer; + constexpr int kNativeHandleMaxFds = 1024; + if (handle->numFds < 0 || handle->numFds > kNativeHandleMaxFds) { + LOG(HAL, Error) + << "Invalid number of fds (" << handle->numFds + << ") in buffer " << i; + return false; + } + + constexpr int kNativeHandleMaxInts = 1024; + if (handle->numInts < 0 || handle->numInts > kNativeHandleMaxInts) { + LOG(HAL, Error) + << "Invalid number of ints (" << handle->numInts + << ") in buffer " << i; + return false; + } + } + return true; } |