From e992e75053e98e3699af6e344c11b787e30411ad Mon Sep 17 00:00:00 2001 From: Eino-Ville Talvala Date: Fri, 7 Nov 2014 16:17:48 -0800 Subject: Camera: Guard against asBinder() calls on NULL interfaces Bug: 18207548 Change-Id: I9879c9b4c0282a6b96b77398f62beedc47f7f0a0 --- camera/ICamera.cpp | 2 +- services/camera/libcameraservice/CameraService.cpp | 7 +++++-- .../camera/libcameraservice/api1/Camera2Client.cpp | 3 ++- .../camera/libcameraservice/api1/CameraClient.cpp | 3 ++- .../libcameraservice/api2/CameraDeviceClient.cpp | 23 ++++++++++++---------- .../libcameraservice/api_pro/ProCamera2Client.cpp | 3 ++- .../libcameraservice/common/Camera2ClientBase.cpp | 3 ++- 7 files changed, 27 insertions(+), 17 deletions(-) diff --git a/camera/ICamera.cpp b/camera/ICamera.cpp index 8c6e1f7..ca31c65 100644 --- a/camera/ICamera.cpp +++ b/camera/ICamera.cpp @@ -75,7 +75,7 @@ public: ALOGV("setPreviewTarget"); Parcel data, reply; data.writeInterfaceToken(ICamera::getInterfaceDescriptor()); - sp b(bufferProducer->asBinder()); + sp b(bufferProducer != NULL ? bufferProducer->asBinder() : NULL); data.writeStrongBinder(b); remote()->transact(SET_PREVIEW_TARGET, data, &reply); return reply.readInt32(); diff --git a/services/camera/libcameraservice/CameraService.cpp b/services/camera/libcameraservice/CameraService.cpp index fd5a426..889be74 100644 --- a/services/camera/libcameraservice/CameraService.cpp +++ b/services/camera/libcameraservice/CameraService.cpp @@ -1363,7 +1363,8 @@ CameraService::Client::Client(const sp& cameraService, int cameraId, int cameraFacing, int clientPid, uid_t clientUid, int servicePid) : - CameraService::BasicClient(cameraService, cameraClient->asBinder(), + CameraService::BasicClient(cameraService, + cameraClient != NULL ? cameraClient->asBinder() : NULL, clientPackageName, cameraId, cameraFacing, clientPid, clientUid, @@ -1476,7 +1477,9 @@ status_t CameraService::BasicClient::finishCameraOps() { } // Always stop watching, even if no camera op is active - mAppOpsManager.stopWatchingMode(mOpsCallback); + if (mOpsCallback != NULL) { + mAppOpsManager.stopWatchingMode(mOpsCallback); + } mOpsCallback.clear(); return OK; diff --git a/services/camera/libcameraservice/api1/Camera2Client.cpp b/services/camera/libcameraservice/api1/Camera2Client.cpp index 2a6aa7b..dd2f64d 100644 --- a/services/camera/libcameraservice/api1/Camera2Client.cpp +++ b/services/camera/libcameraservice/api1/Camera2Client.cpp @@ -165,7 +165,8 @@ status_t Camera2Client::dump(int fd, const Vector& args) { String8 result; result.appendFormat("Client2[%d] (%p) Client: %s PID: %d, dump:\n", mCameraId, - getRemoteCallback()->asBinder().get(), + (getRemoteCallback() != NULL ? + getRemoteCallback()->asBinder().get() : NULL), String8(mClientPackageName).string(), mClientPid); result.append(" State: "); diff --git a/services/camera/libcameraservice/api1/CameraClient.cpp b/services/camera/libcameraservice/api1/CameraClient.cpp index 1a4d9a6..2b17028 100644 --- a/services/camera/libcameraservice/api1/CameraClient.cpp +++ b/services/camera/libcameraservice/api1/CameraClient.cpp @@ -118,7 +118,8 @@ status_t CameraClient::dump(int fd, const Vector& args) { size_t len = snprintf(buffer, SIZE, "Client[%d] (%p) PID: %d\n", mCameraId, - getRemoteCallback()->asBinder().get(), + (getRemoteCallback() != NULL ? + getRemoteCallback()->asBinder().get() : NULL), mClientPid); len = (len > SIZE - 1) ? SIZE - 1 : len; write(fd, buffer, len); diff --git a/services/camera/libcameraservice/api2/CameraDeviceClient.cpp b/services/camera/libcameraservice/api2/CameraDeviceClient.cpp index e3301aa..c6d62e7 100644 --- a/services/camera/libcameraservice/api2/CameraDeviceClient.cpp +++ b/services/camera/libcameraservice/api2/CameraDeviceClient.cpp @@ -42,8 +42,14 @@ CameraDeviceClientBase::CameraDeviceClientBase( int clientPid, uid_t clientUid, int servicePid) : - BasicClient(cameraService, remoteCallback->asBinder(), clientPackageName, - cameraId, cameraFacing, clientPid, clientUid, servicePid), + BasicClient(cameraService, + remoteCallback != NULL ? remoteCallback->asBinder() : NULL, + clientPackageName, + cameraId, + cameraFacing, + clientPid, + clientUid, + servicePid), mRemoteCallback(remoteCallback) { } @@ -353,12 +359,8 @@ status_t CameraDeviceClient::createStream(int width, int height, int format, useAsync = true; } - sp binder; - sp anw; - if (bufferProducer != 0) { - binder = bufferProducer->asBinder(); - anw = new Surface(bufferProducer, useAsync); - } + sp binder = bufferProducer->asBinder(); + sp anw = new Surface(bufferProducer, useAsync); // TODO: remove w,h,f since we are ignoring them @@ -395,7 +397,7 @@ status_t CameraDeviceClient::createStream(int width, int height, int format, res = mDevice->createStream(anw, width, height, format, &streamId); if (res == OK) { - mStreamMap.add(bufferProducer->asBinder(), streamId); + mStreamMap.add(binder, streamId); ALOGV("%s: Camera %d: Successfully created a new stream ID %d", __FUNCTION__, mCameraId, streamId); @@ -514,7 +516,8 @@ status_t CameraDeviceClient::dump(int fd, const Vector& args) { String8 result; result.appendFormat("CameraDeviceClient[%d] (%p) dump:\n", mCameraId, - getRemoteCallback()->asBinder().get()); + (getRemoteCallback() != NULL ? + getRemoteCallback()->asBinder().get() : NULL) ); result.appendFormat(" Current client: %s (PID %d, UID %u)\n", String8(mClientPackageName).string(), mClientPid, mClientUid); diff --git a/services/camera/libcameraservice/api_pro/ProCamera2Client.cpp b/services/camera/libcameraservice/api_pro/ProCamera2Client.cpp index 2ea460f..9c8f0f4 100644 --- a/services/camera/libcameraservice/api_pro/ProCamera2Client.cpp +++ b/services/camera/libcameraservice/api_pro/ProCamera2Client.cpp @@ -334,7 +334,8 @@ status_t ProCamera2Client::dump(int fd, const Vector& args) { String8 result; result.appendFormat("ProCamera2Client[%d] (%p) PID: %d, dump:\n", mCameraId, - getRemoteCallback()->asBinder().get(), + (getRemoteCallback() != NULL ? + getRemoteCallback()->asBinder().get() : NULL), mClientPid); result.append(" State:\n"); write(fd, result.string(), result.size()); diff --git a/services/camera/libcameraservice/common/Camera2ClientBase.cpp b/services/camera/libcameraservice/common/Camera2ClientBase.cpp index d6db151..eb91bd4 100644 --- a/services/camera/libcameraservice/common/Camera2ClientBase.cpp +++ b/services/camera/libcameraservice/common/Camera2ClientBase.cpp @@ -128,7 +128,8 @@ status_t Camera2ClientBase::dump(int fd, String8 result; result.appendFormat("Camera2ClientBase[%d] (%p) PID: %d, dump:\n", TClientBase::mCameraId, - TClientBase::getRemoteCallback()->asBinder().get(), + (TClientBase::getRemoteCallback() != NULL ? + TClientBase::getRemoteCallback()->asBinder().get() : NULL), TClientBase::mClientPid); result.append(" State: "); -- cgit v1.1