diff options
| author | Yin-Chia Yeh <yinchiayeh@google.com> | 2020-03-16 11:49:30 -0700 |
|---|---|---|
| committer | Anis Assi <anisassi@google.com> | 2020-04-09 13:46:11 -0700 |
| commit | 5c06c66e2cc55a76a92879bdd977d945d785f602 (patch) | |
| tree | ea0735252c7647252312de58e354c2720f333a4c | |
| parent | 48aad4d8791a794bd89148d72d13aff7445b8dd6 (diff) | |
| download | frameworks_av-5c06c66e2cc55a76a92879bdd977d945d785f602.tar.gz frameworks_av-5c06c66e2cc55a76a92879bdd977d945d785f602.tar.bz2 frameworks_av-5c06c66e2cc55a76a92879bdd977d945d785f602.zip | |
RESTRICT AUTOMERGE: Camera: fix use after free in sensor timestamp
The metadata object might be overriden later and has it memory
re-allocated; hence snaping the sensor timestamp value before
we call into any method that might change the metadata.
Test: build
Bug: 150944913
Merged-In: I5b10b680e0cce96ca49e1772770adb4835545472
Change-Id: I5b10b680e0cce96ca49e1772770adb4835545472
(cherry picked from commit 1859a38c4d8f438eba9cb7b39be102747407fa36)
| -rw-r--r-- | services/camera/libcameraservice/device3/Camera3Device.cpp | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/services/camera/libcameraservice/device3/Camera3Device.cpp b/services/camera/libcameraservice/device3/Camera3Device.cpp index 543914e5a4..2b07ac7ba9 100644 --- a/services/camera/libcameraservice/device3/Camera3Device.cpp +++ b/services/camera/libcameraservice/device3/Camera3Device.cpp @@ -2981,6 +2981,9 @@ void Camera3Device::sendCaptureResult(CameraMetadata &pendingMetadata, frameNumber); return; } + + nsecs_t sensorTimestamp = timestamp.data.i64[0]; + for (auto& physicalMetadata : captureResult.mPhysicalMetadatas) { camera_metadata_entry timestamp = physicalMetadata.mPhysicalCameraMetadata.find(ANDROID_SENSOR_TIMESTAMP); @@ -3000,7 +3003,7 @@ void Camera3Device::sendCaptureResult(CameraMetadata &pendingMetadata, } mTagMonitor.monitorMetadata(TagMonitor::RESULT, - frameNumber, timestamp.data.i64[0], captureResult.mMetadata); + frameNumber, sensorTimestamp, captureResult.mMetadata); insertResultLocked(&captureResult, frameNumber); } |