DO NOT MERGE: Camera: Adjust pointers to ANW buffers to avoid infoleak
Subtract address of a random static object from pointers being routed
through app process.
Bug: 28466701
Change-Id: Idcbfe81e9507433769672f3dc6d67db5eeed4e04
diff --git a/camera/ICameraRecordingProxy.cpp b/camera/ICameraRecordingProxy.cpp
index 3dc0ffb..517b64f 100644
--- a/camera/ICameraRecordingProxy.cpp
+++ b/camera/ICameraRecordingProxy.cpp
@@ -31,6 +31,11 @@
RELEASE_RECORDING_FRAME,
};
+uint8_t ICameraRecordingProxy::baseObject = 0;
+
+size_t ICameraRecordingProxy::getCommonBaseAddress() {
+ return (size_t)&baseObject;
+}
class BpCameraRecordingProxy: public BpInterface<ICameraRecordingProxy>
{
@@ -106,4 +111,3 @@
// ----------------------------------------------------------------------------
}; // namespace android
-
diff --git a/include/camera/ICameraRecordingProxy.h b/include/camera/ICameraRecordingProxy.h
index 2aac284..4edf9cd 100644
--- a/include/camera/ICameraRecordingProxy.h
+++ b/include/camera/ICameraRecordingProxy.h
@@ -83,6 +83,12 @@
virtual status_t startRecording(const sp<ICameraRecordingProxyListener>& listener) = 0;
virtual void stopRecording() = 0;
virtual void releaseRecordingFrame(const sp<IMemory>& mem) = 0;
+
+ // b/28466701
+ static size_t getCommonBaseAddress();
+ private:
+
+ static uint8_t baseObject;
};
// ----------------------------------------------------------------------------
diff --git a/include/media/stagefright/CameraSource.h b/include/media/stagefright/CameraSource.h
index 069e897..6c938a5 100644
--- a/include/media/stagefright/CameraSource.h
+++ b/include/media/stagefright/CameraSource.h
@@ -236,6 +236,9 @@
status_t checkFrameRate(const CameraParameters& params,
int32_t frameRate);
+ static void adjustIncomingANWBuffer(IMemory* data);
+ static void adjustOutgoingANWBuffer(IMemory* data);
+
void stopCameraRecording();
status_t reset();
diff --git a/media/libstagefright/CameraSource.cpp b/media/libstagefright/CameraSource.cpp
index 66280da..fa30644 100644
--- a/media/libstagefright/CameraSource.cpp
+++ b/media/libstagefright/CameraSource.cpp
@@ -27,8 +27,10 @@
#include <media/stagefright/MediaDefs.h>
#include <media/stagefright/MediaErrors.h>
#include <media/stagefright/MetaData.h>
+#include <media/hardware/HardwareAPI.h>
#include <camera/Camera.h>
#include <camera/CameraParameters.h>
+#include <camera/ICameraRecordingProxy.h>
#include <gui/Surface.h>
#include <utils/String8.h>
#include <cutils/properties.h>
@@ -792,6 +794,8 @@
List<sp<IMemory> >::iterator it;
while (!mFramesReceived.empty()) {
it = mFramesReceived.begin();
+ // b/28466701
+ adjustOutgoingANWBuffer(it->get());
releaseRecordingFrame(*it);
mFramesReceived.erase(it);
++mNumFramesDropped;
@@ -812,6 +816,9 @@
for (List<sp<IMemory> >::iterator it = mFramesBeingEncoded.begin();
it != mFramesBeingEncoded.end(); ++it) {
if ((*it)->pointer() == buffer->data()) {
+ // b/28466701
+ adjustOutgoingANWBuffer(it->get());
+
releaseOneRecordingFrame((*it));
mFramesBeingEncoded.erase(it);
++mNumFramesEncoded;
@@ -917,6 +924,10 @@
++mNumFramesReceived;
CHECK(data != NULL && data->size() > 0);
+
+ // b/28466701
+ adjustIncomingANWBuffer(data.get());
+
mFramesReceived.push_back(data);
int64_t timeUs = mStartTimeUs + (timestampUs - mFirstFrameTimeUs);
mFrameTimes.push_back(timeUs);
@@ -930,6 +941,24 @@
return mIsMetaDataStoredInVideoBuffers;
}
+void CameraSource::adjustIncomingANWBuffer(IMemory* data) {
+ VideoNativeMetadata *payload =
+ reinterpret_cast<VideoNativeMetadata*>(data->pointer());
+ if (payload->eType == kMetadataBufferTypeANWBuffer) {
+ payload->pBuffer = (ANativeWindowBuffer*)(((uint8_t*)payload->pBuffer) +
+ ICameraRecordingProxy::getCommonBaseAddress());
+ }
+}
+
+void CameraSource::adjustOutgoingANWBuffer(IMemory* data) {
+ VideoNativeMetadata *payload =
+ reinterpret_cast<VideoNativeMetadata*>(data->pointer());
+ if (payload->eType == kMetadataBufferTypeANWBuffer) {
+ payload->pBuffer = (ANativeWindowBuffer*)(((uint8_t*)payload->pBuffer) -
+ ICameraRecordingProxy::getCommonBaseAddress());
+ }
+}
+
CameraSource::ProxyListener::ProxyListener(const sp<CameraSource>& source) {
mSource = source;
}
diff --git a/services/camera/libcameraservice/api1/client2/StreamingProcessor.cpp b/services/camera/libcameraservice/api1/client2/StreamingProcessor.cpp
index 66d7b00..9e6c0db 100644
--- a/services/camera/libcameraservice/api1/client2/StreamingProcessor.cpp
+++ b/services/camera/libcameraservice/api1/client2/StreamingProcessor.cpp
@@ -30,6 +30,7 @@
#include <utils/Trace.h>
#include <gui/BufferItem.h>
#include <gui/Surface.h>
+#include <camera/ICameraRecordingProxy.h>
#include <media/hardware/HardwareAPI.h>
#include "common/CameraDeviceBase.h"
@@ -826,6 +827,9 @@
(uint8_t*)heap->getBase() + offset);
payload->eType = kMetadataBufferTypeANWBuffer;
payload->pBuffer = imgBuffer.mGraphicBuffer->getNativeBuffer();
+ // b/28466701
+ payload->pBuffer = (ANativeWindowBuffer*)((uint8_t*)payload->pBuffer -
+ ICameraRecordingProxy::getCommonBaseAddress());
payload->nFenceFd = -1;
ALOGVV("%s: Camera %d: Sending out ANWBuffer %p",
@@ -874,6 +878,10 @@
return;
}
+ // b/28466701
+ payload->pBuffer = (ANativeWindowBuffer*)(((uint8_t*)payload->pBuffer) +
+ ICameraRecordingProxy::getCommonBaseAddress());
+
// Release the buffer back to the recording queue
size_t itemIndex;
for (itemIndex = 0; itemIndex < mRecordingBuffers.size(); itemIndex++) {