[libcamera-devel] [PATCH 2/2] libcamera: ipc_pipe: Do not run memcpy with null arguments
Umang Jain
umang.jain at ideasonboard.com
Wed Aug 18 10:38:42 CEST 2021
IPCMessage::payload() converts the IPCMessage into an IPCUnixSocket
payload. However, if IPCMessage is constructor with one of the
following constructors -
IPCMessage::IPCMessage(),
IPCMessage::IPCMessage(uint32_t cmd)
IPCMessage::IPCMessage(const Header &header)
The data_ vector of IPCMessage is empty and uninitialised. In that
case, IPCMessage::payload will try to memcpy() empty data_ vector
which can lead to invoking memcpy() with nullptr. Add a non-empty
data_ vector check to avoid it.
The issue is noticed by running a test manually, testing the vimc
IPA code paths in isolated mode. It is only noticed when the test
is compiled with -Db_sanitize=address,undefined meson built-in option.
ipc_pipe.cpp:110:8: runtime error: null pointer passed as argument 2, which is declared to never be null
Signed-off-by: Umang Jain <umang.jain at ideasonboard.com>
---
src/libcamera/ipc_pipe.cpp | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/libcamera/ipc_pipe.cpp b/src/libcamera/ipc_pipe.cpp
index 28e20e03..c8761320 100644
--- a/src/libcamera/ipc_pipe.cpp
+++ b/src/libcamera/ipc_pipe.cpp
@@ -102,8 +102,11 @@ IPCUnixSocket::Payload IPCMessage::payload() const
memcpy(payload.data.data(), &header_, sizeof(Header));
- /* \todo Make this work without copy */
- memcpy(payload.data.data() + sizeof(Header), data_.data(), data_.size());
+ if (data_.size() > 0) {
+ /* \todo Make this work without copy */
+ memcpy(payload.data.data() + sizeof(Header), data_.data(), data_.size());
+ }
+
payload.fds = fds_;
return payload;
--
2.31.0
More information about the libcamera-devel
mailing list