From patchwork Fri Apr 2 02:44:52 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hirokazu Honda X-Patchwork-Id: 11824 Return-Path: X-Original-To: parsemail@patchwork.libcamera.org Delivered-To: parsemail@patchwork.libcamera.org Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com [92.243.16.209]) by patchwork.libcamera.org (Postfix) with ESMTPS id ECA36C0DA3 for ; Fri, 2 Apr 2021 02:45:03 +0000 (UTC) Received: from lancelot.ideasonboard.com (localhost [IPv6:::1]) by lancelot.ideasonboard.com (Postfix) with ESMTP id AD89D6878A; Fri, 2 Apr 2021 04:45:03 +0200 (CEST) Authentication-Results: lancelot.ideasonboard.com; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=chromium.org header.i=@chromium.org header.b="Y7LnUGsb"; dkim-atps=neutral Received: from mail-pg1-x531.google.com (mail-pg1-x531.google.com [IPv6:2607:f8b0:4864:20::531]) by lancelot.ideasonboard.com (Postfix) with ESMTPS id AC10B68781 for ; Fri, 2 Apr 2021 04:45:01 +0200 (CEST) Received: by mail-pg1-x531.google.com with SMTP id j34so766648pgj.12 for ; Thu, 01 Apr 2021 19:45:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=1ztDffAkupvDY6/wmiELYvV77Eggfxt5FD5d8zGbSd4=; b=Y7LnUGsbAHOKaQUduT8nXQbQ9lXmt94CAYjzs9Kmgl6E2P0ldEVpiPYJrCELrcM7D4 mImMKs357HmbM54BKZr5cSG8taFdojRNvVOCYVLp+fdR0E/AdiE8mPSuNaD8zkNGChh6 IY0Fvq9ZKqDl1/DP2zakbW0xgtos9TP0svMck= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=1ztDffAkupvDY6/wmiELYvV77Eggfxt5FD5d8zGbSd4=; b=k2rdudVatY4eIPI4zSDbq98z+arkcG0c6fBnyPRuAvyuDYgfuWzpVrdmVfPyQltGcp 3+Rp0iB/7tQTwIZDL2WvAx5C8sjJZkHi/47bcOwNpyI0Rk/wt+3kNqpwMrOYThq5+BGN nPjIJSvMoEotwjXvWDH3sWKBnIR+sZXG/uLkv8AZpFBz2fr96g+b9TJUATPiNVIDsJ39 uEu1PvRM4Ys1PXCtNqkPQBgWsK4n6vuxgk30GYm55Lf/QihLPtbKu8/+8f5UmseYg0xV lwTMUaw42FZeJA78XLGo5k9eGmgdz8h4UPU70759VJuuaYGd2dcXQaS1p5CM54C5UssU ylRQ== X-Gm-Message-State: AOAM533wqjLF5JNhYaui9y97LcWSIODbQqE3ZfFAY71kUWkI1+p5j2mf vCLZcgAcctb51RgBRtQIYAHisUORLoUFJg== X-Google-Smtp-Source: ABdhPJzaSWFuX1uCaX37HpaFCq7j30E0klt/0Ax4cNR5RNvK8I0DOv+AP+Cw9F5z5LSHD79w90cubA== X-Received: by 2002:a63:1203:: with SMTP id h3mr10165767pgl.223.1617331499788; Thu, 01 Apr 2021 19:44:59 -0700 (PDT) Received: from hiroh2.tok.corp.google.com ([2401:fa00:8f:2:908:1da:b07c:32bc]) by smtp.gmail.com with ESMTPSA id bb16sm145361pjb.17.2021.04.01.19.44.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 01 Apr 2021 19:44:59 -0700 (PDT) From: Hirokazu Honda To: libcamera-devel@lists.libcamera.org Date: Fri, 2 Apr 2021 11:44:52 +0900 Message-Id: <20210402024452.1308253-2-hiroh@chromium.org> X-Mailer: git-send-email 2.31.0.208.g409f899ff0-goog In-Reply-To: <20210402024452.1308253-1-hiroh@chromium.org> References: <20210402024452.1308253-1-hiroh@chromium.org> MIME-Version: 1.0 Subject: [libcamera-devel] [PATCH v3 2/2] android: CameraDevice: Add more camera3_capture_request validation X-BeenThere: libcamera-devel@lists.libcamera.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libcamera-devel-bounces@lists.libcamera.org Sender: "libcamera-devel" This adds more validation to camera3_capture_request mainly about buffer_handle values. Signed-off-by: Hirokazu Honda Reviewed-by: Laurent Pinchart --- src/android/camera_device.cpp | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/src/android/camera_device.cpp b/src/android/camera_device.cpp index 988c1fd5..8b6032fc 100644 --- a/src/android/camera_device.cpp +++ b/src/android/camera_device.cpp @@ -263,11 +263,36 @@ bool isValidRequest(camera3_capture_request_t *camera3Request) return false; } - if (!camera3Request->num_output_buffers) { + if (!camera3Request->num_output_buffers || + !camera3Request->output_buffers) { LOG(HAL, Error) << "No output buffers provided"; return false; } + for (uint32_t i = 0; i < camera3Request->num_output_buffers; i++) { + const camera3_stream_buffer_t &outputBuffer = + camera3Request->output_buffers[i]; + if (!outputBuffer.buffer || !(*outputBuffer.buffer)) { + LOG(HAL, Error) << "Invalid native handle"; + return false; + } + + const native_handle_t *handle = *outputBuffer.buffer; + constexpr int kNativeHandleMaxFds = 1024; + if (handle->numFds < 0 || handle->numFds > kNativeHandleMaxFds) { + LOG(HAL, Error) << "Invalid number of fds: " + << handle->numFds; + return false; + } + + constexpr int kNativeHandleMaxInts = 1024; + if (handle->numInts < 0 || handle->numInts > kNativeHandleMaxInts) { + LOG(HAL, Error) << "Invalid number of data: " + << handle->numInts; + return false; + } + } + return true; } @@ -1800,7 +1825,7 @@ int CameraDevice::processControls(Camera3RequestDescriptor *descriptor) int CameraDevice::processCaptureRequest(camera3_capture_request_t *camera3Request) { - if (isValidRequest(camera3Request)) + if (!isValidRequest(camera3Request)) return -EINVAL; /* Start the camera if that's the first request we handle. */