Check frame handle validity before freeing buffer.
in CameraSource::releaseRecordingFrame(), validate the
VideoNativeHandleMetadata field when received. Avoid releasing
invalid handles (and thus invalid memory) if this has been
corrupted in user space.
Bug: 37662122
Test: poc before/after on nyc-mr2
(cherry picked from commit 7eb18466d9ee817ae1087ddc895902e8eae05535)
Change-Id: Icb982d410677c3092f9eb611acaaba42b86e5f06
diff --git a/media/libstagefright/CameraSource.cpp b/media/libstagefright/CameraSource.cpp
index a569f5d..1cd7693 100644
--- a/media/libstagefright/CameraSource.cpp
+++ b/media/libstagefright/CameraSource.cpp
@@ -970,6 +970,14 @@
}
if (handle != nullptr) {
+ ssize_t offset;
+ size_t size;
+ sp<IMemoryHeap> heap = frame->getMemory(&offset, &size);
+ if (heap->getHeapID() != mMemoryHeapBase->getHeapID()) {
+ ALOGE("%s: Mismatched heap ID, ignoring release (got %x, expected %x)",
+ __FUNCTION__, heap->getHeapID(), mMemoryHeapBase->getHeapID());
+ return;
+ }
uint32_t batchSize = 0;
{
Mutex::Autolock autoLock(mBatchLock);