From patchwork Mon Jun 28 06:44:50 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Laurent Pinchart X-Patchwork-Id: 12719 Return-Path: X-Original-To: parsemail@patchwork.libcamera.org Delivered-To: parsemail@patchwork.libcamera.org Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com [92.243.16.209]) by patchwork.libcamera.org (Postfix) with ESMTPS id 270F1C321E for ; Mon, 28 Jun 2021 06:44:58 +0000 (UTC) Received: from lancelot.ideasonboard.com (localhost [IPv6:::1]) by lancelot.ideasonboard.com (Postfix) with ESMTP id 91011684D5; Mon, 28 Jun 2021 08:44:57 +0200 (CEST) Authentication-Results: lancelot.ideasonboard.com; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=ideasonboard.com header.i=@ideasonboard.com header.b="Wst2/vNn"; dkim-atps=neutral Received: from perceval.ideasonboard.com (perceval.ideasonboard.com [213.167.242.64]) by lancelot.ideasonboard.com (Postfix) with ESMTPS id 9B51D6028C for ; Mon, 28 Jun 2021 08:44:56 +0200 (CEST) Received: from pendragon.lan (62-78-145-57.bb.dnainternet.fi [62.78.145.57]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id 25927B8A for ; Mon, 28 Jun 2021 08:44:56 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1624862696; bh=rrQ7kxqVBcGTsGtVNSono2VJwOiJYQK7SrlPrPSPCmk=; h=From:To:Subject:Date:From; b=Wst2/vNnb2ulRmF9D2/fBahhjsY/ArZeTyt+wNkNNROpHVYt6nL451zPIrjiuXjYb OkcK21tIoxzFVwreRLiby+Jg0ah9+szOo/2WSga4v5IuubuDMfRU1jp0EqVcnRQXEW NfEA4QnF5gu+kzvyog/JDYdcNBoAD+RNgQRWA6sA= From: Laurent Pinchart To: libcamera-devel@lists.libcamera.org Date: Mon, 28 Jun 2021 09:44:50 +0300 Message-Id: <20210628064450.3286-1-laurent.pinchart@ideasonboard.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Subject: [libcamera-devel] [PATCH] android: camera_device: Fix null pointer dereference X-BeenThere: libcamera-devel@lists.libcamera.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libcamera-devel-bounces@lists.libcamera.org Sender: "libcamera-devel" Commit 7532caa2c77b ("android: camera_device: Reset config_ if Camera::configure() fails") reworked the configuration sequence to ensure that the CameraConfiguration pointers gets reset when configuration fails. This inadvertently causes a null pointer dereference, as the CameraStream constructor accesses the camera configuration through CameraDevice::cameraConfiguration() before the internal config_ pointer is set. Fix this by passing the configuration pointer explicitly to the CameraStream constructor. Fixes: 7532caa2c77b ("android: camera_device: Reset config_ if Camera::configure() fails") Signed-off-by: Laurent Pinchart Reviewed-by: Paul Elder Tested-by: Paul Elder Reviewed-by: Umang Jain Tested-by: Umang Jain Reviewed-by: Hirokazu Honda --- src/android/camera_device.cpp | 4 ++-- src/android/camera_device.h | 4 ---- src/android/camera_stream.cpp | 6 +++--- src/android/camera_stream.h | 3 ++- 4 files changed, 7 insertions(+), 10 deletions(-) diff --git a/src/android/camera_device.cpp b/src/android/camera_device.cpp index 13ee5fab4412..678cde231c63 100644 --- a/src/android/camera_device.cpp +++ b/src/android/camera_device.cpp @@ -682,8 +682,8 @@ int CameraDevice::configureStreams(camera3_stream_configuration_t *stream_list) config->addConfiguration(streamConfig.config); for (auto &stream : streamConfig.streams) { - streams_.emplace_back(this, stream.type, stream.stream, - config->size() - 1); + streams_.emplace_back(this, config.get(), stream.type, + stream.stream, config->size() - 1); stream.stream->priv = static_cast(&streams_.back()); } } diff --git a/src/android/camera_device.h b/src/android/camera_device.h index 18cf51189e90..3361918d4484 100644 --- a/src/android/camera_device.h +++ b/src/android/camera_device.h @@ -48,10 +48,6 @@ public: unsigned int id() const { return id_; } camera3_device_t *camera3Device() { return &camera3Device_; } const std::shared_ptr &camera() const { return camera_; } - libcamera::CameraConfiguration *cameraConfiguration() const - { - return config_.get(); - } const std::string &maker() const { return maker_; } const std::string &model() const { return model_; } diff --git a/src/android/camera_stream.cpp b/src/android/camera_stream.cpp index b2f03b505199..bf4a7b41a70a 100644 --- a/src/android/camera_stream.cpp +++ b/src/android/camera_stream.cpp @@ -39,10 +39,10 @@ LOG_DECLARE_CATEGORY(HAL) * and buffer allocation. */ -CameraStream::CameraStream(CameraDevice *const cameraDevice, Type type, +CameraStream::CameraStream(CameraDevice *const cameraDevice, + CameraConfiguration *config, Type type, camera3_stream_t *camera3Stream, unsigned int index) - : cameraDevice_(cameraDevice), - config_(cameraDevice->cameraConfiguration()), type_(type), + : cameraDevice_(cameraDevice), config_(config), type_(type), camera3Stream_(camera3Stream), index_(index) { if (type_ == Type::Internal || type_ == Type::Mapped) { diff --git a/src/android/camera_stream.h b/src/android/camera_stream.h index 3401672233ca..8ecc6e345414 100644 --- a/src/android/camera_stream.h +++ b/src/android/camera_stream.h @@ -110,7 +110,8 @@ public: Internal, Mapped, }; - CameraStream(CameraDevice *const cameraDevice, Type type, + CameraStream(CameraDevice *const cameraDevice, + libcamera::CameraConfiguration *config, Type type, camera3_stream_t *camera3Stream, unsigned int index); Type type() const { return type_; }