{"id":11520,"url":"https://patchwork.libcamera.org/api/patches/11520/?format=json","web_url":"https://patchwork.libcamera.org/patch/11520/","project":{"id":1,"url":"https://patchwork.libcamera.org/api/projects/1/?format=json","name":"libcamera","link_name":"libcamera","list_id":"libcamera_core","list_email":"libcamera-devel@lists.libcamera.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20210308171001.529723-1-kieran.bingham@ideasonboard.com>","date":"2021-03-08T17:10:01","name":"[libcamera-devel] lc-compliance: Cache buffers size before destroy","commit_ref":null,"pull_url":null,"state":"accepted","archived":false,"hash":"a6b6ed6007b2956bc80390f720dd94403267ca0f","submitter":{"id":4,"url":"https://patchwork.libcamera.org/api/people/4/?format=json","name":"Kieran Bingham","email":"kieran.bingham@ideasonboard.com"},"delegate":{"id":16,"url":"https://patchwork.libcamera.org/api/users/16/?format=json","username":"neg","first_name":"Niklas","last_name":"Söderlund","email":"niklas.soderlund@ragnatech.se"},"mbox":"https://patchwork.libcamera.org/patch/11520/mbox/","series":[{"id":1771,"url":"https://patchwork.libcamera.org/api/series/1771/?format=json","web_url":"https://patchwork.libcamera.org/project/libcamera/list/?series=1771","date":"2021-03-08T17:10:01","name":"[libcamera-devel] lc-compliance: Cache buffers size before destroy","version":1,"mbox":"https://patchwork.libcamera.org/series/1771/mbox/"}],"comments":"https://patchwork.libcamera.org/api/patches/11520/comments/","check":"pending","checks":"https://patchwork.libcamera.org/api/patches/11520/checks/","tags":{},"headers":{"Return-Path":"","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id A16DABD80C\n\tfor ;\n\tMon, 8 Mar 2021 17:10:07 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id 5FD0A68AAC;\n\tMon, 8 Mar 2021 18:10:07 +0100 (CET)","from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 4CE7268A9F\n\tfor ;\n\tMon, 8 Mar 2021 18:10:06 +0100 (CET)","from Q.local (cpc89244-aztw30-2-0-cust3082.18-1.cable.virginm.net\n\t[86.31.172.11])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id 716CAE7B;\n\tMon, 8 Mar 2021 18:10:04 +0100 (CET)"],"Authentication-Results":"lancelot.ideasonboard.com;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key;\n\tunprotected) header.d=ideasonboard.com header.i=@ideasonboard.com\n\theader.b=\"athxsjvF\"; dkim-atps=neutral","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1615223404;\n\tbh=YaCb/UKIQS35+wQKpQwuYz0ZboamERxCk/J/mLoe9cE=;\n\th=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n\tb=athxsjvFlIS4aTgjwura4mG6Nfo4+nlEj6POlpqDBdHTJJQUBQS/Wm1dl2phbRwVU\n\ttus3s7q+jFItYjiVQ7x8mjL69vfw2PIbOWYqHYZGaDqUxR3h7RnskNhg/F97UUdsjW\n\t6G8JLkpaIhNqtfBhQ4xMMdVNemhBtkngUv9cTiAA=","From":"Kieran Bingham ","To":"libcamera devel ","Date":"Mon, 8 Mar 2021 17:10:01 +0000","Message-Id":"<20210308171001.529723-1-kieran.bingham@ideasonboard.com>","X-Mailer":"git-send-email 2.25.1","In-Reply-To":"<20210208102137.2164282-2-niklas.soderlund@ragnatech.se>","References":"<20210208102137.2164282-2-niklas.soderlund@ragnatech.se>","MIME-Version":"1.0","Subject":"[libcamera-devel] [PATCH] lc-compliance: Cache buffers size before\n\tdestroy","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" "},"content":"The buffers.size is referenced after calling stop which destroys buffers.\n\nThis causes a use-after-free.\nCache the size so we can return the value appropriately in the\ntest results.\n\nSigned-off-by: Kieran Bingham \n---\n src/lc-compliance/simple_capture.cpp | 6 +++++-\n 1 file changed, 5 insertions(+), 1 deletion(-)","diff":"diff --git a/src/lc-compliance/simple_capture.cpp b/src/lc-compliance/simple_capture.cpp\nindex cfcad79ad655..88fb6a8187cc 100644\n--- a/src/lc-compliance/simple_capture.cpp\n+++ b/src/lc-compliance/simple_capture.cpp\n@@ -80,8 +80,12 @@ Results::Result SimpleCaptureBalanced::capture(unsigned int numRequests)\n \n \t/* No point in testing less requests then the camera depth. */\n \tif (buffers.size() > numRequests) {\n+\t\t/* Cache buffers.size() before we destroy it in stop() */\n+\t\tint buffers_size = buffers.size();\n \t\tstop();\n-\t\treturn { Results::Skip, \"Camera needs \" + std::to_string(buffers.size()) + \" requests, can't test only \" + std::to_string(numRequests) };\n+\n+\t\treturn { Results::Skip, \"Camera needs \" + std::to_string(buffers_size)\n+\t\t\t+ \" requests, can't test only \" + std::to_string(numRequests) };\n \t}\n \n \tqueueCount_ = 0;\n","prefixes":["libcamera-devel"]}