libcamera: ipc_pipe: Do not run memcpy with null arguments
IPCMessage::payload() converts the IPCMessage into an IPCUnixSocket payload. However, if IPCMessage is constructed with one of the following constructors - IPCMessage::IPCMessage(), IPCMessage::IPCMessage(uint32_t cmd) IPCMessage::IPCMessage(const Header &header) The data_ vector of IPCMessage is empty and uninitialised. In that case, IPCMessage::payload will try to memcpy() an empty data_ vector which can lead to invoking memcpy() with a nullptr parameter, which is then identified by the address sanity checker.. Add a non-empty data_ vector check to avoid it. The issue is noticed by running a test manually, testing the vimc IPA code paths in isolated mode. It is only noticed when the test is compiled with -Db_sanitize=address,undefined meson built-in option. ipc_pipe.cpp:110:8: runtime error: null pointer passed as argument 2, which is declared to never be null Signed-off-by: Umang Jain <umang.jain@ideasonboard.com> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Reviewed-by: Paul Elder <paul.elder@ideasonboard.com> Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
This commit is contained in:
Umang Jain
@@ -106,8 +106,11 @@ IPCUnixSocket::Payload IPCMessage::payload() const
|
||||
|
||||
memcpy(payload.data.data(), &header_, sizeof(Header));
|
||||
|
||||
/* \todo Make this work without copy */
|
||||
memcpy(payload.data.data() + sizeof(Header), data_.data(), data_.size());
|
||||
if (data_.size() > 0) {
|
||||
/* \todo Make this work without copy */
|
||||
memcpy(payload.data.data() + sizeof(Header),
|
||||
data_.data(), data_.size());
|
||||
}
|
||||
|
||||
for (const FileDescriptor &fd : fds_)
|
||||
payload.fds.push_back(fd.fd());
|
||||
|
||||
Reference in New Issue
Block a user