From patchwork Thu Apr  1 15:31:23 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Hirokazu Honda <hiroh@chromium.org>
X-Patchwork-Id: 11817
Return-Path: <libcamera-devel-bounces@lists.libcamera.org>
X-Original-To: parsemail@patchwork.libcamera.org
Delivered-To: parsemail@patchwork.libcamera.org
Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com
	[92.243.16.209])
	by patchwork.libcamera.org (Postfix) with ESMTPS id 6AA9BC0DA4
	for <parsemail@patchwork.libcamera.org>;
	Thu,  1 Apr 2021 15:31:33 +0000 (UTC)
Received: from lancelot.ideasonboard.com (localhost [IPv6:::1])
	by lancelot.ideasonboard.com (Postfix) with ESMTP id 2477A68785;
	Thu,  1 Apr 2021 17:31:33 +0200 (CEST)
Authentication-Results: lancelot.ideasonboard.com;
	dkim=fail reason="signature verification failed" (1024-bit key;
	unprotected) header.d=chromium.org header.i=@chromium.org
	header.b="QcGJ/DOY"; dkim-atps=neutral
Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com
	[IPv6:2607:f8b0:4864:20::631])
	by lancelot.ideasonboard.com (Postfix) with ESMTPS id 7AAB66877D
	for <libcamera-devel@lists.libcamera.org>;
	Thu,  1 Apr 2021 17:31:31 +0200 (CEST)
Received: by mail-pl1-x631.google.com with SMTP id h8so1196385plt.7
	for <libcamera-devel@lists.libcamera.org>;
	Thu, 01 Apr 2021 08:31:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org;
	s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=hu5U0HoZHiBDDWfLVSbelbfR5T2kB/Jtr+5Fmomcagw=;
	b=QcGJ/DOY26/yMyYy+QIgm/HNLxG+atQrwB00SVOQfklbYqIbO8C0Dy5cImDFqeQOrH
	08J1O6xcCMU04jSXeZISfQgr57nbxOFi8hMt9FyrEaYooz8wLgmyOGxH7iPSdYHmnVbg
	hTJ78LsPE/A+tdK7cFtzWA2iAhiv3rtJBWdME=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=hu5U0HoZHiBDDWfLVSbelbfR5T2kB/Jtr+5Fmomcagw=;
	b=Vle4bGWkakTtHcyIjtsfN3H+mo0yeKwhkvYsQ6GSGwxCwKZwAETpuJ3ynDY+fnvubz
	1hS/bT53+YnHqBgeYV2joBwn4NpB1y6UHfJ5RZ0Vbw4JJD6xNOiVy4Dd5OZR+DESO4Ph
	x7sXzHeJp98l7B1Za+iaeDD2gl41GfpI7IOlliO37dGIMT6vayTfQt5YHPJXoOTQsFp3
	wGhQJtNbWB7m0viTsCW466FaV9ZsWWZ1x4HIM3rvlIBcrlgNJqdTm1LMYlZ006xprYmG
	QCc7bLjJ++ZWM16/sAnIie7J+BZ4ZAjd4Ib3giMLn8Ix6tCOExwSaQyFmwE6XSvS9QIL
	w0QQ==
X-Gm-Message-State: AOAM533GXAFVO7OKaYuOo5V6LCZTpMyNiKX2Uijb3PuKXAYDa29uMurl
	5HgmZ/hLenilnu22m0VlNtbKYYxheEHwaw==
X-Google-Smtp-Source: 
 ABdhPJwBJ99+dZEcW50ZN5Ww+1SLCjERAUjc7qbBSgoQPNQCr12hruTEW5jiXSoizzK+Zd2Pw2Orrg==
X-Received: by 2002:a17:90a:db49:: with SMTP id
	u9mr9699646pjx.181.1617291089894;
	Thu, 01 Apr 2021 08:31:29 -0700 (PDT)
Received: from hiroh2.tok.corp.google.com
	([2401:fa00:8f:2:908:1da:b07c:32bc])
	by smtp.gmail.com with ESMTPSA id
	y68sm6521573pgy.5.2021.04.01.08.31.28
	(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
	Thu, 01 Apr 2021 08:31:29 -0700 (PDT)
From: Hirokazu Honda <hiroh@chromium.org>
To: libcamera-devel@lists.libcamera.org
Date: Fri,  2 Apr 2021 00:31:23 +0900
Message-Id: <20210401153123.1217170-2-hiroh@chromium.org>
X-Mailer: git-send-email 2.31.0.291.g576ba9dcdaf-goog
In-Reply-To: <20210401153123.1217170-1-hiroh@chromium.org>
References: <20210401153123.1217170-1-hiroh@chromium.org>
MIME-Version: 1.0
Subject: [libcamera-devel] [PATCH 2/2] android: CameraDevice: Add more
	camera3_capture_request validation
X-BeenThere: libcamera-devel@lists.libcamera.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <libcamera-devel.lists.libcamera.org>
List-Unsubscribe: <https://lists.libcamera.org/options/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>
List-Archive: <https://lists.libcamera.org/pipermail/libcamera-devel/>
List-Post: <mailto:libcamera-devel@lists.libcamera.org>
List-Help: <mailto:libcamera-devel-request@lists.libcamera.org?subject=help>
List-Subscribe: <https://lists.libcamera.org/listinfo/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>
Errors-To: libcamera-devel-bounces@lists.libcamera.org
Sender: "libcamera-devel" <libcamera-devel-bounces@lists.libcamera.org>

This adds more validation to camera3_capture_request mainly
about buffer_handle values.

Signed-off-by: Hirokazu Honda <hiroh@chromium.org>
---
 src/android/camera_device.cpp | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/src/android/camera_device.cpp b/src/android/camera_device.cpp
index 48eb471d..4ed4d3ff 100644
--- a/src/android/camera_device.cpp
+++ b/src/android/camera_device.cpp
@@ -263,11 +263,36 @@ bool isValidRequest(camera3_capture_request_t *camera3Request)
 		return false;
 	}
 
-	if (!camera3Request->num_output_buffers) {
+	if (!camera3Request->num_output_buffers ||
+	    !camera3Request->output_buffers) {
 		LOG(HAL, Error) << "No output buffers provided";
 		return -EINVAL;
 	}
 
+	for (uint32_t i = 0; i < camera3Request->num_output_buffers; i++) {
+		const camera3_stream_buffer_t &outputBuffer =
+			camera3Request->output_buffers[i];
+		if (!outputBuffer.buffer || !(*outputBuffer.buffer)) {
+			LOG(HAL, Error) << "Invalid native handle";
+			return -EINVAL;
+		}
+
+		const native_handle_t *handle = *outputBuffer.buffer;
+		constexpr int kNativeHandleMaxFds = 1024;
+		if (handle->numFds < 0 || handle->numFds > kNativeHandleMaxFds) {
+			LOG(HAL, Error) << "Invalid number of fds: "
+					<< handle->numFds;
+			return -EINVAL;
+		}
+
+		constexpr int kNativeHandleMaxInts = 1024;
+		if (handle->numInts < 0 || handle->numInts > kNativeHandleMaxInts) {
+			LOG(HAL, Error) << "Invalid number of data"
+					<< handle->numInts;
+			return -EINVAL;
+		}
+	}
+
 	return true;
 }