diff options
| author | Eino-Ville Talvala <etalvala@google.com> | 2016-06-20 17:00:14 -0700 |
|---|---|---|
| committer | The Android Automerger <android-build@google.com> | 2016-06-23 15:05:18 -0700 |
| commit | 1f24c730ab6ca5aff1e3137b340b8aeaeda4bdbc (patch) | |
| tree | 240a349e5c0a5e783cd192317d3aa47c935861c2 /media/libstagefright | |
| parent | b351eabb428c7ca85a34513c64601f437923d576 (diff) | |
| download | frameworks_av-1f24c730ab6ca5aff1e3137b340b8aeaeda4bdbc.zip frameworks_av-1f24c730ab6ca5aff1e3137b340b8aeaeda4bdbc.tar.gz frameworks_av-1f24c730ab6ca5aff1e3137b340b8aeaeda4bdbc.tar.bz2 | |
DO NOT MERGE: Camera: Adjust pointers to ANW buffers to avoid infoleak
Subtract address of a random static object from pointers being routed
through app process.
Bug: 28466701
Change-Id: Idcbfe81e9507433769672f3dc6d67db5eeed4e04
Diffstat (limited to 'media/libstagefright')
| -rw-r--r-- | media/libstagefright/CameraSource.cpp | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/media/libstagefright/CameraSource.cpp b/media/libstagefright/CameraSource.cpp index 66280da..fa30644 100644 --- a/media/libstagefright/CameraSource.cpp +++ b/media/libstagefright/CameraSource.cpp @@ -27,8 +27,10 @@ #include <media/stagefright/MediaDefs.h> #include <media/stagefright/MediaErrors.h> #include <media/stagefright/MetaData.h> +#include <media/hardware/HardwareAPI.h> #include <camera/Camera.h> #include <camera/CameraParameters.h> +#include <camera/ICameraRecordingProxy.h> #include <gui/Surface.h> #include <utils/String8.h> #include <cutils/properties.h> @@ -792,6 +794,8 @@ void CameraSource::releaseQueuedFrames() { List<sp<IMemory> >::iterator it; while (!mFramesReceived.empty()) { it = mFramesReceived.begin(); + // b/28466701 + adjustOutgoingANWBuffer(it->get()); releaseRecordingFrame(*it); mFramesReceived.erase(it); ++mNumFramesDropped; @@ -812,6 +816,9 @@ void CameraSource::signalBufferReturned(MediaBuffer *buffer) { for (List<sp<IMemory> >::iterator it = mFramesBeingEncoded.begin(); it != mFramesBeingEncoded.end(); ++it) { if ((*it)->pointer() == buffer->data()) { + // b/28466701 + adjustOutgoingANWBuffer(it->get()); + releaseOneRecordingFrame((*it)); mFramesBeingEncoded.erase(it); ++mNumFramesEncoded; @@ -917,6 +924,10 @@ void CameraSource::dataCallbackTimestamp(int64_t timestampUs, ++mNumFramesReceived; CHECK(data != NULL && data->size() > 0); + + // b/28466701 + adjustIncomingANWBuffer(data.get()); + mFramesReceived.push_back(data); int64_t timeUs = mStartTimeUs + (timestampUs - mFirstFrameTimeUs); mFrameTimes.push_back(timeUs); @@ -930,6 +941,24 @@ bool CameraSource::isMetaDataStoredInVideoBuffers() const { return mIsMetaDataStoredInVideoBuffers; } +void CameraSource::adjustIncomingANWBuffer(IMemory* data) { + VideoNativeMetadata *payload = + reinterpret_cast<VideoNativeMetadata*>(data->pointer()); + if (payload->eType == kMetadataBufferTypeANWBuffer) { + payload->pBuffer = (ANativeWindowBuffer*)(((uint8_t*)payload->pBuffer) + + ICameraRecordingProxy::getCommonBaseAddress()); + } +} + +void CameraSource::adjustOutgoingANWBuffer(IMemory* data) { + VideoNativeMetadata *payload = + reinterpret_cast<VideoNativeMetadata*>(data->pointer()); + if (payload->eType == kMetadataBufferTypeANWBuffer) { + payload->pBuffer = (ANativeWindowBuffer*)(((uint8_t*)payload->pBuffer) - + ICameraRecordingProxy::getCommonBaseAddress()); + } +} + CameraSource::ProxyListener::ProxyListener(const sp<CameraSource>& source) { mSource = source; } |