DO NOT MERGE Check frame handle validity before freeing buffer.
in CameraSource::releaseRecordingFrame(), validate the
VideoNativeHandleMetadata field when received. Avoid releasing invalid
handles (and thus invalid memory) if this has been corrupted in user space.
Bug: 37662122
Test: poc before/after on nyc-mr2
Change-Id: If48c050a5c20552604a90f19130ad5837e80bf52
(cherry picked from commit e779e08977ff0be086cae86c8d05e55805a967a4)
diff --git a/media/libstagefright/CameraSource.cpp b/media/libstagefright/CameraSource.cpp
index 893da89..b7d9965 100644
--- a/media/libstagefright/CameraSource.cpp
+++ b/media/libstagefright/CameraSource.cpp
@@ -950,6 +950,14 @@
if (handle != nullptr) {
// Frame contains a VideoNativeHandleMetadata. Send the handle back to camera.
+ ssize_t offset;
+ size_t size;
+ sp<IMemoryHeap> heap = frame->getMemory(&offset, &size);
+ if (heap->getHeapID() != mMemoryHeapBase->getHeapID()) {
+ ALOGE("%s: Mismatched heap ID, ignoring release (got %x, expected %x)",
+ __FUNCTION__, heap->getHeapID(), mMemoryHeapBase->getHeapID());
+ return;
+ }
releaseRecordingFrameHandle(handle);
mMemoryBases.push_back(frame);
mMemoryBaseAvailableCond.signal();