From 1f24c730ab6ca5aff1e3137b340b8aeaeda4bdbc Mon Sep 17 00:00:00 2001
From: Eino-Ville Talvala <etalvala@google.com>
Date: Mon, 20 Jun 2016 17:00:14 -0700
Subject: DO NOT MERGE: Camera: Adjust pointers to ANW buffers to avoid
 infoleak

Subtract address of a random static object from pointers being routed
through app process.

Bug: 28466701
Change-Id: Idcbfe81e9507433769672f3dc6d67db5eeed4e04
---
 media/libstagefright/CameraSource.cpp | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

(limited to 'media/libstagefright')

diff --git a/media/libstagefright/CameraSource.cpp b/media/libstagefright/CameraSource.cpp
index 66280da..fa30644 100644
--- a/media/libstagefright/CameraSource.cpp
+++ b/media/libstagefright/CameraSource.cpp
@@ -27,8 +27,10 @@
 #include <media/stagefright/MediaDefs.h>
 #include <media/stagefright/MediaErrors.h>
 #include <media/stagefright/MetaData.h>
+#include <media/hardware/HardwareAPI.h>
 #include <camera/Camera.h>
 #include <camera/CameraParameters.h>
+#include <camera/ICameraRecordingProxy.h>
 #include <gui/Surface.h>
 #include <utils/String8.h>
 #include <cutils/properties.h>
@@ -792,6 +794,8 @@ void CameraSource::releaseQueuedFrames() {
     List<sp<IMemory> >::iterator it;
     while (!mFramesReceived.empty()) {
         it = mFramesReceived.begin();
+        // b/28466701
+        adjustOutgoingANWBuffer(it->get());
         releaseRecordingFrame(*it);
         mFramesReceived.erase(it);
         ++mNumFramesDropped;
@@ -812,6 +816,9 @@ void CameraSource::signalBufferReturned(MediaBuffer *buffer) {
     for (List<sp<IMemory> >::iterator it = mFramesBeingEncoded.begin();
          it != mFramesBeingEncoded.end(); ++it) {
         if ((*it)->pointer() ==  buffer->data()) {
+            // b/28466701
+            adjustOutgoingANWBuffer(it->get());
+
             releaseOneRecordingFrame((*it));
             mFramesBeingEncoded.erase(it);
             ++mNumFramesEncoded;
@@ -917,6 +924,10 @@ void CameraSource::dataCallbackTimestamp(int64_t timestampUs,
     ++mNumFramesReceived;
 
     CHECK(data != NULL && data->size() > 0);
+
+    // b/28466701
+    adjustIncomingANWBuffer(data.get());
+
     mFramesReceived.push_back(data);
     int64_t timeUs = mStartTimeUs + (timestampUs - mFirstFrameTimeUs);
     mFrameTimes.push_back(timeUs);
@@ -930,6 +941,24 @@ bool CameraSource::isMetaDataStoredInVideoBuffers() const {
     return mIsMetaDataStoredInVideoBuffers;
 }
 
+void CameraSource::adjustIncomingANWBuffer(IMemory* data) {
+    VideoNativeMetadata *payload =
+            reinterpret_cast<VideoNativeMetadata*>(data->pointer());
+    if (payload->eType == kMetadataBufferTypeANWBuffer) {
+        payload->pBuffer = (ANativeWindowBuffer*)(((uint8_t*)payload->pBuffer) +
+                ICameraRecordingProxy::getCommonBaseAddress());
+    }
+}
+
+void CameraSource::adjustOutgoingANWBuffer(IMemory* data) {
+    VideoNativeMetadata *payload =
+            reinterpret_cast<VideoNativeMetadata*>(data->pointer());
+    if (payload->eType == kMetadataBufferTypeANWBuffer) {
+        payload->pBuffer = (ANativeWindowBuffer*)(((uint8_t*)payload->pBuffer) -
+                ICameraRecordingProxy::getCommonBaseAddress());
+    }
+}
+
 CameraSource::ProxyListener::ProxyListener(const sp<CameraSource>& source) {
     mSource = source;
 }
-- 
cgit v1.1