From patchwork Fri Apr  2 01:55:29 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Hirokazu Honda <hiroh@chromium.org>
X-Patchwork-Id: 11819
Return-Path: <libcamera-devel-bounces@lists.libcamera.org>
X-Original-To: parsemail@patchwork.libcamera.org
Delivered-To: parsemail@patchwork.libcamera.org
Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com
	[92.243.16.209])
	by patchwork.libcamera.org (Postfix) with ESMTPS id EE5C3C0DA3
	for <parsemail@patchwork.libcamera.org>;
	Fri,  2 Apr 2021 01:55:41 +0000 (UTC)
Received: from lancelot.ideasonboard.com (localhost [IPv6:::1])
	by lancelot.ideasonboard.com (Postfix) with ESMTP id AA52968787;
	Fri,  2 Apr 2021 03:55:41 +0200 (CEST)
Authentication-Results: lancelot.ideasonboard.com;
	dkim=fail reason="signature verification failed" (1024-bit key;
	unprotected) header.d=chromium.org header.i=@chromium.org
	header.b="ec40m/Wo"; dkim-atps=neutral
Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com
	[IPv6:2607:f8b0:4864:20::102a])
	by lancelot.ideasonboard.com (Postfix) with ESMTPS id 11DD368783
	for <libcamera-devel@lists.libcamera.org>;
	Fri,  2 Apr 2021 03:55:40 +0200 (CEST)
Received: by mail-pj1-x102a.google.com with SMTP id
	kk2-20020a17090b4a02b02900c777aa746fso1922214pjb.3
	for <libcamera-devel@lists.libcamera.org>;
	Thu, 01 Apr 2021 18:55:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org;
	s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=S5f6xT5gSu9Ch/pvxKjxyRcWkjwLagP5vBy1wAYqifE=;
	b=ec40m/WowGEOdJ3CrcQkErp4xN5yxMM3BxpLCfvgPNJF7hUZdSOjsgIw1cX6KmwtTu
	Oa+pWNHKBiFKbzsdKfAuRLzq/gXHFtykHY1VQtcKupWfIgr93MurHBwqyZkjKxLvKhzx
	pP9HTdE32oLIWQJfAHUbu/XI7XL13l3wQUs44=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=S5f6xT5gSu9Ch/pvxKjxyRcWkjwLagP5vBy1wAYqifE=;
	b=cJfj7KqPCKOiWH+MxNwa3uWJ7nB8Moo3gMNeeHSc5zTzjteNX3ndRpdBeGFJHcAYev
	Dk5S/4N7jdM49dwpgyoIDcwD0ZNMDIlhD2hLx9Bw4VDC1bPRHRh2kmpBXSHCDri0mZwQ
	M+XuxoouZgaTFFZvyEt9MFMcP83iw36PuKqsj6NqCrZtJkP0yI20QAlqaoeV4WbxvJpH
	T1R389m0iLZKq56JJRG6aKVU8K+hNczH+QcUycdS+lk7rIcb1N3W451QA8nWhZumEouM
	n5IH//d2SP+QIoC71BERuu0g8g3l01FLVIB6Fp3qa94hBnf1SnUfLJ5xkX4VMNRfglC+
	7HDw==
X-Gm-Message-State: AOAM5334pDq2f/DvoyooQHNqpCAcYwPWAmwzYNA8PExk3a2mFHLflCav
	tVJwX2kQPuVyWh6twCYYxIcuFe8SbOvmMw==
X-Google-Smtp-Source: 
 ABdhPJyQSsCCBE2enulySwrXcD0/f5FG4vuOMzF6R+r4ncU6Bs/qYvFqerklmK6B0+ghNGhKBeBudg==
X-Received: by 2002:a17:90b:357:: with SMTP id
	fh23mr11400789pjb.169.1617328538528;
	Thu, 01 Apr 2021 18:55:38 -0700 (PDT)
Received: from hiroh2.tok.corp.google.com
	([2401:fa00:8f:2:908:1da:b07c:32bc])
	by smtp.gmail.com with ESMTPSA id
	a65sm6540329pfb.116.2021.04.01.18.55.37
	(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
	Thu, 01 Apr 2021 18:55:38 -0700 (PDT)
From: Hirokazu Honda <hiroh@chromium.org>
To: libcamera-devel@lists.libcamera.org
Date: Fri,  2 Apr 2021 10:55:29 +0900
Message-Id: <20210402015529.1284943-2-hiroh@chromium.org>
X-Mailer: git-send-email 2.31.0.208.g409f899ff0-goog
In-Reply-To: <20210402015529.1284943-1-hiroh@chromium.org>
References: <20210402015529.1284943-1-hiroh@chromium.org>
MIME-Version: 1.0
Subject: [libcamera-devel] [PATCH v2 2/2] android: CameraDevice: Add more
	camera3_capture_request validation
X-BeenThere: libcamera-devel@lists.libcamera.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <libcamera-devel.lists.libcamera.org>
List-Unsubscribe: <https://lists.libcamera.org/options/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>
List-Archive: <https://lists.libcamera.org/pipermail/libcamera-devel/>
List-Post: <mailto:libcamera-devel@lists.libcamera.org>
List-Help: <mailto:libcamera-devel-request@lists.libcamera.org?subject=help>
List-Subscribe: <https://lists.libcamera.org/listinfo/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>
Errors-To: libcamera-devel-bounces@lists.libcamera.org
Sender: "libcamera-devel" <libcamera-devel-bounces@lists.libcamera.org>

This adds more validation to camera3_capture_request mainly
about buffer_handle values.

Signed-off-by: Hirokazu Honda <hiroh@chromium.org>
---
 src/android/camera_device.cpp | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/src/android/camera_device.cpp b/src/android/camera_device.cpp
index 988c1fd5..5f9fc169 100644
--- a/src/android/camera_device.cpp
+++ b/src/android/camera_device.cpp
@@ -263,11 +263,36 @@ bool isValidRequest(camera3_capture_request_t *camera3Request)
 		return false;
 	}
 
-	if (!camera3Request->num_output_buffers) {
+	if (!camera3Request->num_output_buffers ||
+	    !camera3Request->output_buffers) {
 		LOG(HAL, Error) << "No output buffers provided";
 		return false;
 	}
 
+	for (uint32_t i = 0; i < camera3Request->num_output_buffers; i++) {
+		const camera3_stream_buffer_t &outputBuffer =
+			camera3Request->output_buffers[i];
+		if (!outputBuffer.buffer || !(*outputBuffer.buffer)) {
+			LOG(HAL, Error) << "Invalid native handle";
+			return false;
+		}
+
+		const native_handle_t *handle = *outputBuffer.buffer;
+		constexpr int kNativeHandleMaxFds = 1024;
+		if (handle->numFds < 0 || handle->numFds > kNativeHandleMaxFds) {
+			LOG(HAL, Error) << "Invalid number of fds: "
+					<< handle->numFds;
+			return false;
+		}
+
+		constexpr int kNativeHandleMaxInts = 1024;
+		if (handle->numInts < 0 || handle->numInts > kNativeHandleMaxInts) {
+			LOG(HAL, Error) << "Invalid number of data: "
+					<< handle->numInts;
+			return false;
+		}
+	}
+
 	return true;
 }