[libcamera-devel] [PATCH 2/2] libcamera: ipc_pipe: Do not run memcpy with null arguments

[Umang Jain]

IPCMessage::payload() converts the IPCMessage into an IPCUnixSocket
payload. However, if IPCMessage is constructor with one of the
following constructors -

	IPCMessage::IPCMessage(),
        IPCMessage::IPCMessage(uint32_t cmd)
        IPCMessage::IPCMessage(const Header &header)

The data_ vector of IPCMessage is empty and uninitialised. In that
case, IPCMessage::payload will try to memcpy() empty data_ vector
which can lead to invoking memcpy() with nullptr. Add a non-empty
data_ vector check to avoid it.

The issue is noticed by running a test manually, testing the vimc
IPA code paths in isolated mode. It is only noticed when the test
is compiled with -Db_sanitize=address,undefined meson built-in option.

ipc_pipe.cpp:110:8: runtime error: null pointer passed as argument 2, which is declared to never be null

Signed-off-by: Umang Jain <umang.jain at ideasonboard.com>
---
 src/libcamera/ipc_pipe.cpp | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/libcamera/ipc_pipe.cpp b/src/libcamera/ipc_pipe.cpp
index 28e20e03..c8761320 100644
--- a/src/libcamera/ipc_pipe.cpp
+++ b/src/libcamera/ipc_pipe.cpp
@@ -102,8 +102,11 @@ IPCUnixSocket::Payload IPCMessage::payload() const
 
 	memcpy(payload.data.data(), &header_, sizeof(Header));
 
-	/* \todo Make this work without copy */
-	memcpy(payload.data.data() + sizeof(Header), data_.data(), data_.size());
+	if (data_.size() > 0) {
+		/* \todo Make this work without copy */
+		memcpy(payload.data.data() + sizeof(Header), data_.data(), data_.size());
+	}
+
 	payload.fds = fds_;
 
 	return payload;
-- 
2.31.0