From c9ee8c2dd7d0860b41a3312bbf7ff390f5d0cf8e Mon Sep 17 00:00:00 2001
From: Mike Lockwood <lockwood@android.com>
Date: Mon, 25 Apr 2011 12:56:21 -0700
Subject: DO NOT MERGE MTP: Fix file descriptor leak in file editing extensions

Change-Id: Ie0b979b5cfd9b5f9e9196c5f8c8ecccef6ed84c3
Signed-off-by: Mike Lockwood <lockwood@android.com>
---
 media/mtp/MtpServer.cpp | 31 +++++++++++++------------------
 media/mtp/MtpServer.h   | 22 ++++++++++++++++------
 2 files changed, 29 insertions(+), 24 deletions(-)

(limited to 'media/mtp')

diff --git a/media/mtp/MtpServer.cpp b/media/mtp/MtpServer.cpp
index ff4009c..b744b5b 100644
--- a/media/mtp/MtpServer.cpp
+++ b/media/mtp/MtpServer.cpp
@@ -270,12 +270,7 @@ void MtpServer::sendEvent(MtpEventCode code, uint32_t param1) {
 
 void MtpServer::addEditObject(MtpObjectHandle handle, MtpString& path,
         uint64_t size, MtpObjectFormat format, int fd) {
-    ObjectEdit*  edit = new ObjectEdit;
-    edit->handle = handle;
-    edit->path = path;
-    edit->size = size;
-    edit->format = format;
-    edit->fd = fd;
+    ObjectEdit*  edit = new ObjectEdit(handle, path, size, format, fd);
     mObjectEditList.add(edit);
 }
 
@@ -283,7 +278,7 @@ MtpServer::ObjectEdit* MtpServer::getEditObject(MtpObjectHandle handle) {
     int count = mObjectEditList.size();
     for (int i = 0; i < count; i++) {
         ObjectEdit* edit = mObjectEditList[i];
-        if (edit->handle == handle) return edit;
+        if (edit->mHandle == handle) return edit;
     }
     return NULL;
 }
@@ -292,7 +287,7 @@ void MtpServer::removeEditObject(MtpObjectHandle handle) {
     int count = mObjectEditList.size();
     for (int i = 0; i < count; i++) {
         ObjectEdit* edit = mObjectEditList[i];
-        if (edit->handle == handle) {
+        if (edit->mHandle == handle) {
             delete edit;
             mObjectEditList.removeAt(i);
             return;
@@ -302,7 +297,7 @@ void MtpServer::removeEditObject(MtpObjectHandle handle) {
 }
 
 void MtpServer::commitEdit(ObjectEdit* edit) {
-    mDatabase->endSendObject((const char *)edit->path, edit->handle, edit->format, true);
+    mDatabase->endSendObject((const char *)edit->mPath, edit->mHandle, edit->mFormat, true);
 }
 
 
@@ -681,7 +676,7 @@ MtpResponseCode MtpServer::doGetObjectInfo() {
         uint32_t size = info.mCompressedSize;
         ObjectEdit* edit = getEditObject(handle);
         if (edit)
-            size = (edit->size > 0xFFFFFFFFLL ? 0xFFFFFFFF : (uint32_t)edit->size);
+            size = (edit->mSize > 0xFFFFFFFFLL ? 0xFFFFFFFF : (uint32_t)edit->mSize);
         mData.putUInt32(size);
 
         mData.putUInt16(info.mThumbFormat);
@@ -1059,8 +1054,8 @@ MtpResponseCode MtpServer::doSendPartialObject() {
     }
 
     // can't start writing past the end of the file
-    if (offset > edit->size) {
-        LOGD("writing past end of object, offset: %lld, edit->size: %lld", offset, edit->size);
+    if (offset > edit->mSize) {
+        LOGD("writing past end of object, offset: %lld, edit->mSize: %lld", offset, edit->mSize);
         return MTP_RESPONSE_GENERAL_ERROR;
     }
 
@@ -1071,10 +1066,10 @@ MtpResponseCode MtpServer::doSendPartialObject() {
     // reset so we don't attempt to send this back
     mData.reset();
 
-    const char* filePath = (const char *)edit->path;
+    const char* filePath = (const char *)edit->mPath;
     LOGV("receiving partial %s %lld %ld\n", filePath, offset, length);
     mtp_file_range  mfr;
-    mfr.fd = edit->fd;
+    mfr.fd = edit->mFD;
     mfr.offset = offset;
     mfr.length = length;
 
@@ -1090,8 +1085,8 @@ MtpResponseCode MtpServer::doSendPartialObject() {
     }
     mResponse.setParameter(1, length);
     uint64_t end = offset + length;
-    if (end > edit->size) {
-        edit->size = end;
+    if (end > edit->mSize) {
+        edit->mSize = end;
     }
     return MTP_RESPONSE_OK;
 }
@@ -1107,10 +1102,10 @@ MtpResponseCode MtpServer::doTruncateObject() {
     uint64_t offset = mRequest.getParameter(2);
     uint64_t offset2 = mRequest.getParameter(3);
     offset |= (offset2 << 32);
-    if (ftruncate(edit->fd, offset) != 0) {
+    if (ftruncate(edit->mFD, offset) != 0) {
         return MTP_RESPONSE_GENERAL_ERROR;
     } else {
-        edit->size = offset;
+        edit->mSize = offset;
         return MTP_RESPONSE_OK;
     }
 }
diff --git a/media/mtp/MtpServer.h b/media/mtp/MtpServer.h
index 35a38e7..b06eb28 100644
--- a/media/mtp/MtpServer.h
+++ b/media/mtp/MtpServer.h
@@ -67,12 +67,22 @@ private:
 
     // represents an MTP object that is being edited using the android extensions
     // for direct editing (BeginEditObject, SendPartialObject, TruncateObject and EndEditObject)
-    struct ObjectEdit {
-        MtpObjectHandle     handle;
-        MtpString           path;
-        uint64_t            size;
-        MtpObjectFormat     format;
-        int                 fd;
+    class ObjectEdit {
+        public:
+        MtpObjectHandle     mHandle;
+        MtpString           mPath;
+        uint64_t            mSize;
+        MtpObjectFormat     mFormat;
+        int                 mFD;
+
+        ObjectEdit(MtpObjectHandle handle, const char* path, uint64_t size,
+            MtpObjectFormat format, int fd)
+                : mHandle(handle), mPath(path), mSize(size), mFormat(format), mFD(fd) {
+            }
+
+        virtual ~ObjectEdit() {
+            close(mFD);
+        }
     };
     Vector<ObjectEdit*>  mObjectEditList;
 
-- 
cgit v1.1