From f34640b60740f358cd8888f3df9f02a40e4f3570 Mon Sep 17 00:00:00 2001 From: Abhinav Sohane Date: Tue, 19 Dec 2017 15:07:03 +0530 Subject: [PATCH] QCamera2:mm-camera-channel:Added check for max value of cur_capture_idx. Issue: In FLASH mode, while requesting superBuffers for 100 snapshots cur_capture_idx is increasing to more that MAX_CAPTURE_BATCH_NUM, so by derefrencing frameConfig.config to cur_capture_idx, stack memory is getting corrupted. Solution: Checking for max value of cur_capture_idx before derefrencing frameConfig.config array to avoid writing in outOfBound index memory. Change-Id: Icaea62be483b3ee97304441f7c9287b73496f09d --- .../QCamera2/stack/mm-camera-interface/src/mm_camera_channel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/camera/QCamera2/stack/mm-camera-interface/src/mm_camera_channel.c b/camera/QCamera2/stack/mm-camera-interface/src/mm_camera_channel.c index dd99715..54c05c5 100644 --- a/camera/QCamera2/stack/mm-camera-interface/src/mm_camera_channel.c +++ b/camera/QCamera2/stack/mm-camera-interface/src/mm_camera_channel.c @@ -530,7 +530,7 @@ static void mm_channel_process_stream_buf(mm_camera_cmdcb_t * cmd_cb, ch_obj->isConfigCapture = FALSE; } - if (ch_obj->isConfigCapture) { + if (ch_obj->isConfigCapture && ch_obj->cur_capture_idx < MAX_CAPTURE_BATCH_NUM) { if (ch_obj->frameConfig.configs[ch_obj->cur_capture_idx].num_frames != 0) { ch_obj->frameConfig.configs[ch_obj->cur_capture_idx].num_frames--; } else {