[libcamera-devel,v4,2/2] android: CameraDevice: Add more camera3_capture_request validation
diff mbox series

Message ID 20210403133741.1595440-2-hiroh@chromium.org
State Accepted
Headers show
Series
  • [libcamera-devel,v4,1/2] android: cameraDevice: Factorize the code of validating camera3_capture_request
Related show

Commit Message

Hirokazu Honda April 3, 2021, 1:37 p.m. UTC
This adds more validation to camera3_capture_request mainly
about buffer_handle values.

Signed-off-by: Hirokazu Honda <hiroh@chromium.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
---
 src/android/camera_device.cpp | 29 ++++++++++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

Patch
diff mbox series

diff --git a/src/android/camera_device.cpp b/src/android/camera_device.cpp
index d8ce43be..91791a10 100644
--- a/src/android/camera_device.cpp
+++ b/src/android/camera_device.cpp
@@ -263,11 +263,38 @@  bool isValidRequest(camera3_capture_request_t *camera3Request)
 		return false;
 	}
 
-	if (!camera3Request->num_output_buffers) {
+	if (!camera3Request->num_output_buffers ||
+	    !camera3Request->output_buffers) {
 		LOG(HAL, Error) << "No output buffers provided";
 		return false;
 	}
 
+	for (uint32_t i = 0; i < camera3Request->num_output_buffers; i++) {
+		const camera3_stream_buffer_t &outputBuffer =
+			camera3Request->output_buffers[i];
+		if (!outputBuffer.buffer || !(*outputBuffer.buffer)) {
+			LOG(HAL, Error) << "Invalid native handle";
+			return false;
+		}
+
+		const native_handle_t *handle = *outputBuffer.buffer;
+		constexpr int kNativeHandleMaxFds = 1024;
+		if (handle->numFds < 0 || handle->numFds > kNativeHandleMaxFds) {
+			LOG(HAL, Error)
+				<< "Invalid number of fds (" << handle->numFds
+				<< ") in buffer " << i;
+			return false;
+		}
+
+		constexpr int kNativeHandleMaxInts = 1024;
+		if (handle->numInts < 0 || handle->numInts > kNativeHandleMaxInts) {
+			LOG(HAL, Error)
+				<< "Invalid number of ints (" << handle->numInts
+				<< ") in buffer " << i;
+			return false;
+		}
+	}
+
 	return true;
 }