From patchwork Sat May 15 18:38:26 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Laurent Pinchart X-Patchwork-Id: 12307 X-Patchwork-Delegate: laurent.pinchart@ideasonboard.com Return-Path: X-Original-To: parsemail@patchwork.libcamera.org Delivered-To: parsemail@patchwork.libcamera.org Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com [92.243.16.209]) by patchwork.libcamera.org (Postfix) with ESMTPS id 9F4BEC31FB for ; Sat, 15 May 2021 18:38:45 +0000 (UTC) Received: from lancelot.ideasonboard.com (localhost [IPv6:::1]) by lancelot.ideasonboard.com (Postfix) with ESMTP id 358066891C; Sat, 15 May 2021 20:38:45 +0200 (CEST) Authentication-Results: lancelot.ideasonboard.com; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=ideasonboard.com header.i=@ideasonboard.com header.b="jNT0V874"; dkim-atps=neutral Received: from perceval.ideasonboard.com (perceval.ideasonboard.com [IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647]) by lancelot.ideasonboard.com (Postfix) with ESMTPS id 8E69C68922 for ; Sat, 15 May 2021 20:38:41 +0200 (CEST) Received: from pendragon.lan (62-78-145-57.bb.dnainternet.fi [62.78.145.57]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id D9ADC436; Sat, 15 May 2021 20:38:40 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1621103921; bh=hFx1vZWboqmba7kNCvzD3RUJNZ78+tS9s2S2+nB4hWs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jNT0V874KtyL5ySThaeCe1lguZ+HhZChGc1BnNvkSfoouf7hyrom3a/Yh9QmN4H7L 0tIxgSdTEqS+W5VoIPCqXPspySxAuyriB4azuruNVr8j0a0gHfTaWO90ljVn3euYpU LotpLSnisaarUy1e98X3c8Q1nZen0XMFVNTByjLI= From: Laurent Pinchart To: libcamera-devel@lists.libcamera.org Date: Sat, 15 May 2021 21:38:26 +0300 Message-Id: <20210515183826.21003-5-laurent.pinchart@ideasonboard.com> X-Mailer: git-send-email 2.28.1 In-Reply-To: <20210515183826.21003-1-laurent.pinchart@ideasonboard.com> References: <20210515183826.21003-1-laurent.pinchart@ideasonboard.com> MIME-Version: 1.0 Subject: [libcamera-devel] [PATCH 4/4] android: camera_metadata: Add type sanity check to updateEntry() X-BeenThere: libcamera-devel@lists.libcamera.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libcamera-devel-bounces@lists.libcamera.org Sender: "libcamera-devel" The CameraMetadata::updateEntry() functions cast the data pointer to a void pointer, which is then used internally to call update_camera_metadata_entry(). If the caller passes a pointer to an incorrect data type, the behaviour is undefined, with possible crashes if the incorrect data type is smaller than expected by the Android metadata library. To avoid crashes, make all public updateEntry() functions take typed pointers, and pass the element size to the internal function. The element size is then checked against the expected size, and an error message logged if they don't match. This won't catch incorrect data types that have the same size as the correct type, but will at least avoid potential crashes. Signed-off-by: Laurent Pinchart Reviewed-by: Hirokazu Honda Reviewed-by: Kieran Bingham --- src/android/camera_metadata.cpp | 11 ++++++++++- src/android/camera_metadata.h | 12 +++++++++--- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/src/android/camera_metadata.cpp b/src/android/camera_metadata.cpp index 59366c50cc16..3eb71d7f7d9d 100644 --- a/src/android/camera_metadata.cpp +++ b/src/android/camera_metadata.cpp @@ -137,7 +137,8 @@ bool CameraMetadata::addEntry(uint32_t tag, const void *data, size_t count, return false; } -bool CameraMetadata::updateEntry(uint32_t tag, const void *data, size_t count) +bool CameraMetadata::updateEntry(uint32_t tag, const void *data, size_t count, + size_t elementSize) { if (!valid_) return false; @@ -152,6 +153,14 @@ bool CameraMetadata::updateEntry(uint32_t tag, const void *data, size_t count) return false; } + if (camera_metadata_type_size[entry.type] != elementSize) { + const char *name = get_camera_metadata_tag_name(tag); + LOG(CameraMetadata, Error) + << "Invalid element size for tag " + << (name ? name : "") << ": not present"; + return false; + } + size_t oldSize = calculate_camera_metadata_entry_data_size(entry.type, entry.count); diff --git a/src/android/camera_metadata.h b/src/android/camera_metadata.h index d7c8d9df689f..f8f2a0d23aa3 100644 --- a/src/android/camera_metadata.h +++ b/src/android/camera_metadata.h @@ -55,7 +55,7 @@ public: template bool updateEntry(uint32_t tag, const T &data) { - return updateEntry(tag, &data, 1); + return updateEntry(tag, &data, 1, sizeof(T)); } template @@ -68,10 +68,14 @@ public: typename T = typename S::value_type> bool updateEntry(uint32_t tag, const S &data) { - return updateEntry(tag, data.data(), data.size()); + return updateEntry(tag, data.data(), data.size(), sizeof(T)); } - bool updateEntry(uint32_t tag, const void *data, size_t count); + template + bool updateEntry(uint32_t tag, const T *data, size_t count) + { + return updateEntry(tag, data, count, sizeof(T)); + } camera_metadata_t *get(); const camera_metadata_t *get() const; @@ -80,6 +84,8 @@ private: bool resize(size_t count, size_t size); bool addEntry(uint32_t tag, const void *data, size_t count, size_t elementSize); + bool updateEntry(uint32_t tag, const void *data, size_t count, + size_t elementSize); camera_metadata_t *metadata_; bool valid_;