system/pipewire
system/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire synced 2024-09-06 16:56:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

libcamera: fix a use-after-free due an attempt to stop the camera twice

Browse source 
Camera is currently stopped and started in the spa_libcamera_set_format()
function, but this leads to a segfault due attempting to access a buffers
field of an already freed libcamera::FrameBufferAllocator instance.

The FrameBufferAllocator instance is freed in LibCamera::stop(), that is
called by spa_libcamera_stream_off() as handler of the node commands
SPA_NODE_COMMAND_Pause and SPA_NODE_COMMAND_Suspend.

Since the camera was already stopped, there's no need to attempt to stop
it again. In fact, the camera shouldn't be stopped/started at all in the
spa_libcamera_set_format() function but instead only as an action of the
SPA_NODE_COMMAND_{Pause,Suspend} and SPA_NODE_COMMAND_Start commands.

And same for the stop that's done in the LibCamera::close() function, it
shouldn't be needed because the camera is already stopped before closing.

Fixes #1513
This commit is contained in:
Javier Martinez Canillas 2021-09-21 14:44:17 +02:00
parent a7a6f19815
commit 21c412dc49
No known key found for this signature in database
GPG key ID: C751E590D63F3D69
2 changed files with 2 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
spa/plugins/libcamera/libcamera-utils.c
View file

@ -470,9 +470,6 @@ static int spa_libcamera_set_format(struct impl *this, struct spa_video_info *fo
if ((res = spa_libcamera_open(dev)) < 0)
return res;
/* stop the camera first. It might have opened with different configuration*/
libcamera_stop_capture(dev->camera);
spa_log_info(dev->log, "libcamera: set %s %dx%d %d/%d\n", (char *)&info->fourcc,
fmt.width, fmt.height,
fmt.denominator, fmt.numerator);
@ -485,9 +482,6 @@ static int spa_libcamera_set_format(struct impl *this, struct spa_video_info *fo
return -EINVAL;
}
/* start the camera now with the configured params */
libcamera_start_capture(dev->camera);
dev->have_format = true;
size->width = libcamera_get_streamcfg_width(dev->camera);
size->height = libcamera_get_streamcfg_height(dev->camera);
@ -871,6 +865,8 @@ static int spa_libcamera_stream_on(struct impl *this)
libcamera_connect(dev->camera);
libcamera_start_capture(dev->camera);
port->source.func = libcamera_on_fd_events;
port->source.data = this;
port->source.fd = spa_system_eventfd_create(this->system, SPA_FD_CLOEXEC | SPA_FD_NONBLOCK);

1
spa/plugins/libcamera/libcamera_wrapper.cpp
View file

@ -540,7 +540,6 @@ extern "C" {
}
void LibCamera::close() {
this->stop();
this->cam_->release();
}