HAL3: Fix a use-after-free bug
mm_camera_buf_def_t for the source YUV of HDR+ request is wrapped in a
shared_ptr, and the memory for mm_camera_buf_def_t is deallocated after
returnYuvBufferAndEncode returns.
However, mm_camera_buf_def_t pointer is still used in the JPEG callback
later on. So we keep the mm_camera_buf_def_t struct around by keeping a
shared pointer to it.
Also fix a memory leak of input metadata mm_camera_buf_def_t.
Test: for i in {1..50}; do atest -it NativeStillCaptureTest#testStillCapture; done
Bug: 150004253
Change-Id: I67ce2db1aca20245a5c3175008f17640fe6f5390
diff --git a/msm8998/QCamera2/HAL3/QCamera3Channel.cpp b/msm8998/QCamera2/HAL3/QCamera3Channel.cpp
index cf9fe4a..2309b71 100644
--- a/msm8998/QCamera2/HAL3/QCamera3Channel.cpp
+++ b/msm8998/QCamera2/HAL3/QCamera3Channel.cpp
@@ -4169,7 +4169,7 @@
int32_t QCamera3PicChannel::returnYuvBufferAndEncode(mm_camera_buf_def_t *frame,
buffer_handle_t *outBuffer, uint32_t frameNumber,
- std::shared_ptr<metadata_buffer_t> metadata)
+ std::shared_ptr<metadata_buffer_t> metadata, mm_camera_buf_def_t *metaFrame)
{
int32_t rc = OK;
@@ -4255,7 +4255,7 @@
metadataBuf->camera_handle = m_camHandle;
metadataBuf->ch_id = getMyHandle();
metadataBuf->num_bufs = 1;
- metadataBuf->bufs[0] = (mm_camera_buf_def_t *)calloc(1, sizeof(mm_camera_buf_def_t));
+ metadataBuf->bufs[0] = metaFrame;
metadataBuf->bufs[0]->buffer = metadata.get();
// Start processing the metadata
diff --git a/msm8998/QCamera2/HAL3/QCamera3Channel.h b/msm8998/QCamera2/HAL3/QCamera3Channel.h
index a23acd5..e60f751 100644
--- a/msm8998/QCamera2/HAL3/QCamera3Channel.h
+++ b/msm8998/QCamera2/HAL3/QCamera3Channel.h
@@ -586,7 +586,8 @@
// Return a YUV buffer (from getYuvBufferForRequest) and request jpeg encoding.
int32_t returnYuvBufferAndEncode(mm_camera_buf_def_t *frame,
buffer_handle_t *outBuffer, uint32_t frameNumber,
- std::shared_ptr<metadata_buffer_t> metadata);
+ std::shared_ptr<metadata_buffer_t> metadata,
+ mm_camera_buf_def_t *metaFrame);
// Return a YUV buffer (from getYuvBufferForRequest) without requesting jpeg encoding.
int32_t returnYuvBuffer(mm_camera_buf_def_t *frame);
diff --git a/msm8998/QCamera2/HAL3/QCamera3HWI.cpp b/msm8998/QCamera2/HAL3/QCamera3HWI.cpp
index 4248ddd..d190eba 100644
--- a/msm8998/QCamera2/HAL3/QCamera3HWI.cpp
+++ b/msm8998/QCamera2/HAL3/QCamera3HWI.cpp
@@ -5668,7 +5668,6 @@
// Mark current timestamp for the new request
bufsForCurRequest.timestamp = systemTime(CLOCK_MONOTONIC);
bufsForCurRequest.av_timestamp = 0;
- bufsForCurRequest.hdrplus = hdrPlusRequest;
if (hdrPlusRequest) {
// Save settings for this request.
@@ -15724,10 +15723,29 @@
}
if (channel == mPictureChannel) {
+ android_errorWriteLog(0x534e4554, "150004253");
+ // Keep a copy of outputBufferDef until the final JPEG buffer is
+ // ready because the JPEG callback uses the mm_camera_buf_def_t
+ // struct. The metaBufDef is stored in a shared_ptr to make sure
+ // it's freed.
+ std::shared_ptr<mm_camera_buf_def_t> metaBufDef =
+ std::make_shared<mm_camera_buf_def_t>();
+ {
+ pthread_mutex_lock(&mMutex);
+ for (auto& pendingBuffers : mPendingBuffersMap.mPendingBuffersInRequest) {
+ if (pendingBuffers.frame_number == result->requestId) {
+ pendingBuffers.mHdrplusInputBuf = outputBufferDef;
+ pendingBuffers.mHdrplusInputMetaBuf = metaBufDef;
+ break;
+ }
+ }
+ pthread_mutex_unlock(&mMutex);
+ }
+
// Return the buffer to pic channel for encoding.
mPictureChannel->returnYuvBufferAndEncode(outputBufferDef.get(),
frameworkOutputBuffer->buffer, result->requestId,
- halMetadata);
+ halMetadata, metaBufDef.get());
} else {
// Return the buffer to camera framework.
pthread_mutex_lock(&mMutex);
diff --git a/msm8998/QCamera2/HAL3/QCamera3HWI.h b/msm8998/QCamera2/HAL3/QCamera3HWI.h
index f7d8c42..c029cfd 100644
--- a/msm8998/QCamera2/HAL3/QCamera3HWI.h
+++ b/msm8998/QCamera2/HAL3/QCamera3HWI.h
@@ -128,7 +128,8 @@
nsecs_t timestamp;
nsecs_t av_timestamp;
List<PendingBufferInfo> mPendingBufferList;
- bool hdrplus;
+ std::shared_ptr<mm_camera_buf_def_t> mHdrplusInputBuf;
+ std::shared_ptr<mm_camera_buf_def_t> mHdrplusInputMetaBuf;
} PendingBuffersInRequest;
class PendingBuffersMap {
