{"id":12719,"url":"https://patchwork.libcamera.org/api/patches/12719/?format=json","web_url":"https://patchwork.libcamera.org/patch/12719/","project":{"id":1,"url":"https://patchwork.libcamera.org/api/projects/1/?format=json","name":"libcamera","link_name":"libcamera","list_id":"libcamera_core","list_email":"libcamera-devel@lists.libcamera.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20210628064450.3286-1-laurent.pinchart@ideasonboard.com>","date":"2021-06-28T06:44:50","name":"[libcamera-devel] android: camera_device: Fix null pointer dereference","commit_ref":"1684c3f930b2a27884037bc38856477b80cddd50","pull_url":null,"state":"accepted","archived":false,"hash":"c1140da62ccebd2b3ae9891dc1a3c4cca5024daf","submitter":{"id":2,"url":"https://patchwork.libcamera.org/api/people/2/?format=json","name":"Laurent Pinchart","email":"laurent.pinchart@ideasonboard.com"},"delegate":null,"mbox":"https://patchwork.libcamera.org/patch/12719/mbox/","series":[{"id":2182,"url":"https://patchwork.libcamera.org/api/series/2182/?format=json","web_url":"https://patchwork.libcamera.org/project/libcamera/list/?series=2182","date":"2021-06-28T06:44:50","name":"[libcamera-devel] android: camera_device: Fix null pointer dereference","version":1,"mbox":"https://patchwork.libcamera.org/series/2182/mbox/"}],"comments":"https://patchwork.libcamera.org/api/patches/12719/comments/","check":"pending","checks":"https://patchwork.libcamera.org/api/patches/12719/checks/","tags":{},"headers":{"Return-Path":"<libcamera-devel-bounces@lists.libcamera.org>","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id 270F1C321E\n\tfor <parsemail@patchwork.libcamera.org>;\n\tMon, 28 Jun 2021 06:44:58 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id 91011684D5;\n\tMon, 28 Jun 2021 08:44:57 +0200 (CEST)","from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[213.167.242.64])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 9B51D6028C\n\tfor <libcamera-devel@lists.libcamera.org>;\n\tMon, 28 Jun 2021 08:44:56 +0200 (CEST)","from pendragon.lan (62-78-145-57.bb.dnainternet.fi [62.78.145.57])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id 25927B8A\n\tfor <libcamera-devel@lists.libcamera.org>;\n\tMon, 28 Jun 2021 08:44:56 +0200 (CEST)"],"Authentication-Results":"lancelot.ideasonboard.com;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key;\n\tunprotected) header.d=ideasonboard.com header.i=@ideasonboard.com\n\theader.b=\"Wst2/vNn\"; dkim-atps=neutral","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1624862696;\n\tbh=rrQ7kxqVBcGTsGtVNSono2VJwOiJYQK7SrlPrPSPCmk=;\n\th=From:To:Subject:Date:From;\n\tb=Wst2/vNnb2ulRmF9D2/fBahhjsY/ArZeTyt+wNkNNROpHVYt6nL451zPIrjiuXjYb\n\tOkcK21tIoxzFVwreRLiby+Jg0ah9+szOo/2WSga4v5IuubuDMfRU1jp0EqVcnRQXEW\n\tNfEA4QnF5gu+kzvyog/JDYdcNBoAD+RNgQRWA6sA=","From":"Laurent Pinchart <laurent.pinchart@ideasonboard.com>","To":"libcamera-devel@lists.libcamera.org","Date":"Mon, 28 Jun 2021 09:44:50 +0300","Message-Id":"<20210628064450.3286-1-laurent.pinchart@ideasonboard.com>","X-Mailer":"git-send-email 2.31.1","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","Subject":"[libcamera-devel] [PATCH] android: camera_device: Fix null pointer\n\tdereference","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"<libcamera-devel.lists.libcamera.org>","List-Unsubscribe":"<https://lists.libcamera.org/options/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>","List-Archive":"<https://lists.libcamera.org/pipermail/libcamera-devel/>","List-Post":"<mailto:libcamera-devel@lists.libcamera.org>","List-Help":"<mailto:libcamera-devel-request@lists.libcamera.org?subject=help>","List-Subscribe":"<https://lists.libcamera.org/listinfo/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" <libcamera-devel-bounces@lists.libcamera.org>"},"content":"Commit 7532caa2c77b (\"android: camera_device: Reset config_ if\nCamera::configure() fails\") reworked the configuration sequence to\nensure that the CameraConfiguration pointers gets reset when\nconfiguration fails. This inadvertently causes a null pointer\ndereference, as the CameraStream constructor accesses the camera\nconfiguration through CameraDevice::cameraConfiguration() before the\ninternal config_ pointer is set.\n\nFix this by passing the configuration pointer explicitly to the\nCameraStream constructor.\n\nFixes: 7532caa2c77b (\"android: camera_device: Reset config_ if Camera::configure() fails\")\nSigned-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\n---\n src/android/camera_device.cpp | 4 ++--\n src/android/camera_device.h   | 4 ----\n src/android/camera_stream.cpp | 6 +++---\n src/android/camera_stream.h   | 3 ++-\n 4 files changed, 7 insertions(+), 10 deletions(-)","diff":"diff --git a/src/android/camera_device.cpp b/src/android/camera_device.cpp\nindex 13ee5fab4412..678cde231c63 100644\n--- a/src/android/camera_device.cpp\n+++ b/src/android/camera_device.cpp\n@@ -682,8 +682,8 @@ int CameraDevice::configureStreams(camera3_stream_configuration_t *stream_list)\n \t\tconfig->addConfiguration(streamConfig.config);\n \n \t\tfor (auto &stream : streamConfig.streams) {\n-\t\t\tstreams_.emplace_back(this, stream.type, stream.stream,\n-\t\t\t\t\t      config->size() - 1);\n+\t\t\tstreams_.emplace_back(this, config.get(), stream.type,\n+\t\t\t\t\t      stream.stream, config->size() - 1);\n \t\t\tstream.stream->priv = static_cast<void *>(&streams_.back());\n \t\t}\n \t}\ndiff --git a/src/android/camera_device.h b/src/android/camera_device.h\nindex 18cf51189e90..3361918d4484 100644\n--- a/src/android/camera_device.h\n+++ b/src/android/camera_device.h\n@@ -48,10 +48,6 @@ public:\n \tunsigned int id() const { return id_; }\n \tcamera3_device_t *camera3Device() { return &camera3Device_; }\n \tconst std::shared_ptr<libcamera::Camera> &camera() const { return camera_; }\n-\tlibcamera::CameraConfiguration *cameraConfiguration() const\n-\t{\n-\t\treturn config_.get();\n-\t}\n \n \tconst std::string &maker() const { return maker_; }\n \tconst std::string &model() const { return model_; }\ndiff --git a/src/android/camera_stream.cpp b/src/android/camera_stream.cpp\nindex b2f03b505199..bf4a7b41a70a 100644\n--- a/src/android/camera_stream.cpp\n+++ b/src/android/camera_stream.cpp\n@@ -39,10 +39,10 @@ LOG_DECLARE_CATEGORY(HAL)\n  * and buffer allocation.\n  */\n \n-CameraStream::CameraStream(CameraDevice *const cameraDevice, Type type,\n+CameraStream::CameraStream(CameraDevice *const cameraDevice,\n+\t\t\t   CameraConfiguration *config, Type type,\n \t\t\t   camera3_stream_t *camera3Stream, unsigned int index)\n-\t: cameraDevice_(cameraDevice),\n-\t  config_(cameraDevice->cameraConfiguration()), type_(type),\n+\t: cameraDevice_(cameraDevice), config_(config), type_(type),\n \t  camera3Stream_(camera3Stream), index_(index)\n {\n \tif (type_ == Type::Internal || type_ == Type::Mapped) {\ndiff --git a/src/android/camera_stream.h b/src/android/camera_stream.h\nindex 3401672233ca..8ecc6e345414 100644\n--- a/src/android/camera_stream.h\n+++ b/src/android/camera_stream.h\n@@ -110,7 +110,8 @@ public:\n \t\tInternal,\n \t\tMapped,\n \t};\n-\tCameraStream(CameraDevice *const cameraDevice, Type type,\n+\tCameraStream(CameraDevice *const cameraDevice,\n+\t\t     libcamera::CameraConfiguration *config, Type type,\n \t\t     camera3_stream_t *camera3Stream, unsigned int index);\n \n \tType type() const { return type_; }\n","prefixes":["libcamera-devel"]}