diff options
author | Yin-Chia Yeh <yinchiayeh@google.com> | 2020-03-16 11:49:30 -0700 |
---|---|---|
committer | Yin-Chia Yeh <yinchiayeh@google.com> | 2020-03-17 16:27:26 +0000 |
commit | 1859a38c4d8f438eba9cb7b39be102747407fa36 (patch) | |
tree | 77bb3e9a4cf6ae959be86aa89573f81ef69421b1 | |
parent | d8d4e803842bed4188606856858189054a89c95c (diff) | |
download | frameworks_av-1859a38c4d8f438eba9cb7b39be102747407fa36.tar.gz frameworks_av-1859a38c4d8f438eba9cb7b39be102747407fa36.tar.bz2 frameworks_av-1859a38c4d8f438eba9cb7b39be102747407fa36.zip |
RESTRICT AUTOMERGE: Camera: fix use after free in sensor timestamp
The metadata object might be overriden later and has it memory
re-allocated; hence snaping the sensor timestamp value before
we call into any method that might change the metadata.
Test: build
Bug: 150944913
Merged-In: I5b10b680e0cce96ca49e1772770adb4835545472
Change-Id: I5b10b680e0cce96ca49e1772770adb4835545472
-rw-r--r-- | services/camera/libcameraservice/device3/Camera3Device.cpp | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/services/camera/libcameraservice/device3/Camera3Device.cpp b/services/camera/libcameraservice/device3/Camera3Device.cpp index 28ffc8b3db..fb81b88efb 100644 --- a/services/camera/libcameraservice/device3/Camera3Device.cpp +++ b/services/camera/libcameraservice/device3/Camera3Device.cpp @@ -3000,6 +3000,9 @@ void Camera3Device::sendCaptureResult(CameraMetadata &pendingMetadata, frameNumber); return; } + + nsecs_t sensorTimestamp = timestamp.data.i64[0]; + for (auto& physicalMetadata : captureResult.mPhysicalMetadatas) { camera_metadata_entry timestamp = physicalMetadata.mPhysicalCameraMetadata.find(ANDROID_SENSOR_TIMESTAMP); @@ -3019,7 +3022,7 @@ void Camera3Device::sendCaptureResult(CameraMetadata &pendingMetadata, } mTagMonitor.monitorMetadata(TagMonitor::RESULT, - frameNumber, timestamp.data.i64[0], captureResult.mMetadata); + frameNumber, sensorTimestamp, captureResult.mMetadata); insertResultLocked(&captureResult, frameNumber); } |