From 3fa89d8e1e8fc35c6447932bc46b6342fc70851f Mon Sep 17 00:00:00 2001 From: wangchaole Date: Wed, 21 Sep 2022 16:21:22 +0800 Subject: [PATCH 1/2] fix: data length check Signed-off-by: wangchaole --- .../include/distributed_camera_sink_proxy.h | 3 + .../src/distributed_camera_sink_proxy.cpp | 36 ++++++ .../listener/dcamera_photo_surface_listener.h | 1 + .../listener/dcamera_video_surface_listener.h | 1 + .../dcamera_photo_surface_listener.cpp | 2 +- .../dcamera_photo_surface_listener_common.cpp | 3 +- .../dcamera_video_surface_listener.cpp | 2 +- .../dcamera_video_surface_listener_common.cpp | 4 +- .../distributed_camera_sink_stub.h | 3 + .../dcamera_sink_controller.h | 1 + .../distributed_camera_sink_stub.cpp | 108 ++++++++++++++---- .../dcamera_sink_controller.cpp | 4 + .../encoder/encode_data_process.h | 1 + .../encoder/encode_data_process.cpp | 2 +- .../encoder/encode_data_process_common.cpp | 2 +- 15 files changed, 145 insertions(+), 28 deletions(-) diff --git a/interfaces/inner_kits/native_cpp/camera_sink/include/distributed_camera_sink_proxy.h b/interfaces/inner_kits/native_cpp/camera_sink/include/distributed_camera_sink_proxy.h index c987e71b..1f798e94 100644 --- a/interfaces/inner_kits/native_cpp/camera_sink/include/distributed_camera_sink_proxy.h +++ b/interfaces/inner_kits/native_cpp/camera_sink/include/distributed_camera_sink_proxy.h @@ -44,6 +44,9 @@ public: private: static inline BrokerDelegator delegator_; + + const size_t DID_MAX_SIZE = 256; + const size_t PARAM_MAX_SIZE = 50 * 1024 * 1024; }; } // namespace DistributedHardware } // namespace OHOS diff --git a/interfaces/inner_kits/native_cpp/camera_sink/src/distributed_camera_sink_proxy.cpp b/interfaces/inner_kits/native_cpp/camera_sink/src/distributed_camera_sink_proxy.cpp index 28b9033a..9674fc02 100644 --- a/interfaces/inner_kits/native_cpp/camera_sink/src/distributed_camera_sink_proxy.cpp +++ b/interfaces/inner_kits/native_cpp/camera_sink/src/distributed_camera_sink_proxy.cpp @@ -26,6 +26,10 @@ namespace DistributedHardware { int32_t DistributedCameraSinkProxy::InitSink(const std::string& params) { DHLOGI("DistributedCameraSinkProxy::InitSink"); + if (params.empty() || params.size() > PARAM_MAX_SIZE) { + DHLOGE("DistributedCameraSinkProxy::InitSink params is invalid"); + return DCAMERA_BAD_VALUE; + } sptr remote = Remote(); if (remote == nullptr) { DHLOGE("DistributedCameraSinkProxy::InitSink remote service is null"); @@ -72,6 +76,11 @@ int32_t DistributedCameraSinkProxy::ReleaseSink() int32_t DistributedCameraSinkProxy::SubscribeLocalHardware(const std::string& dhId, const std::string& parameters) { DHLOGI("DistributedCameraSinkProxy::SubscribeLocalHardware dhId: %s", GetAnonyString(dhId).c_str()); + if (parameters.empty() || parameters.size() > PARAM_MAX_SIZE || dhId.empty() || + dhId.size() > DID_MAX_SIZE) { + DHLOGE("DistributedCameraSinkProxy::SubscribeLocalHardware params is invalid"); + return DCAMERA_BAD_VALUE; + } sptr remote = Remote(); if (remote == nullptr) { DHLOGE("DistributedCameraSinkProxy::SubscribeLocalHardware remote service is null"); @@ -97,6 +106,10 @@ int32_t DistributedCameraSinkProxy::SubscribeLocalHardware(const std::string& dh int32_t DistributedCameraSinkProxy::UnsubscribeLocalHardware(const std::string& dhId) { DHLOGI("DistributedCameraSinkProxy::UnsubscribeLocalHardware dhId: %s", GetAnonyString(dhId).c_str()); + if (dhId.empty() || dhId.size() > DID_MAX_SIZE) { + DHLOGE("DistributedCameraSinkProxy::UnsubscribeLocalHardware params is invalid"); + return DCAMERA_BAD_VALUE; + } sptr remote = Remote(); if (remote == nullptr) { DHLOGE("DistributedCameraSinkProxy::UnsubscribeLocalHardware remote service is null"); @@ -122,6 +135,10 @@ int32_t DistributedCameraSinkProxy::UnsubscribeLocalHardware(const std::string& int32_t DistributedCameraSinkProxy::StopCapture(const std::string& dhId) { DHLOGI("DistributedCameraSinkProxy::StopCapture dhId: %s", GetAnonyString(dhId).c_str()); + if (dhId.empty() || dhId.size() > DID_MAX_SIZE) { + DHLOGE("DistributedCameraSinkProxy::StopCapture params is invalid"); + return DCAMERA_BAD_VALUE; + } sptr remote = Remote(); if (remote == nullptr) { DHLOGE("DistributedCameraSinkProxy::StopCapture remote service is null"); @@ -148,6 +165,11 @@ int32_t DistributedCameraSinkProxy::StopCapture(const std::string& dhId) int32_t DistributedCameraSinkProxy::ChannelNeg(const std::string& dhId, std::string& channelInfo) { DHLOGI("DistributedCameraSinkProxy::ChannelNeg dhId: %s", GetAnonyString(dhId).c_str()); + if (dhId.empty() || dhId.size() > DID_MAX_SIZE || channelInfo.empty() || + channelInfo.size() > PARAM_MAX_SIZE) { + DHLOGE("DistributedCameraSinkProxy::ChannelNeg params is invalid"); + return DCAMERA_BAD_VALUE; + } sptr remote = Remote(); if (remote == nullptr) { DHLOGE("DistributedCameraSinkProxy::ChannelNeg remote service is null"); @@ -173,6 +195,11 @@ int32_t DistributedCameraSinkProxy::ChannelNeg(const std::string& dhId, std::str int32_t DistributedCameraSinkProxy::GetCameraInfo(const std::string& dhId, std::string& cameraInfo) { DHLOGI("DistributedCameraSinkProxy::GetCameraInfo dhId: %s", GetAnonyString(dhId).c_str()); + if (dhId.empty() || dhId.size() > DID_MAX_SIZE || cameraInfo.empty() || + cameraInfo.size() > PARAM_MAX_SIZE) { + DHLOGE("DistributedCameraSinkProxy::GetCameraInfo parmas is invalid"); + return DCAMERA_BAD_VALUE; + } sptr remote = Remote(); if (remote == nullptr) { DHLOGE("DistributedCameraSinkProxy::GetCameraInfo remote service is null"); @@ -198,6 +225,11 @@ int32_t DistributedCameraSinkProxy::GetCameraInfo(const std::string& dhId, std:: int32_t DistributedCameraSinkProxy::OpenChannel(const std::string& dhId, std::string& openInfo) { DHLOGI("DistributedCameraSinkProxy::OpenChannel dhId: %s", GetAnonyString(dhId).c_str()); + if (dhId.empty() || dhId.size() > DID_MAX_SIZE || openInfo.empty() || + openInfo.size() > PARAM_MAX_SIZE) { + DHLOGE("DistributedCameraSinkProxy::OpenChannel params is invalid"); + return DCAMERA_BAD_VALUE; + } sptr remote = Remote(); if (remote == nullptr) { DHLOGE("DistributedCameraSinkProxy::OpenChannel remote service is null"); @@ -223,6 +255,10 @@ int32_t DistributedCameraSinkProxy::OpenChannel(const std::string& dhId, std::st int32_t DistributedCameraSinkProxy::CloseChannel(const std::string& dhId) { DHLOGI("DistributedCameraSinkProxy::CloseChannel dhId: %s", GetAnonyString(dhId).c_str()); + if (dhId.empty() || dhId.size() > DID_MAX_SIZE) { + DHLOGE("DistributedCameraSinkProxy::CloseChannel params is invalid"); + return DCAMERA_BAD_VALUE; + } sptr remote = Remote(); if (remote == nullptr) { DHLOGE("DistributedCameraSinkProxy::CloseChannel remote service is null"); diff --git a/services/cameraservice/cameraoperator/client/include/listener/dcamera_photo_surface_listener.h b/services/cameraservice/cameraoperator/client/include/listener/dcamera_photo_surface_listener.h index 72f77a68..4d77011d 100644 --- a/services/cameraservice/cameraoperator/client/include/listener/dcamera_photo_surface_listener.h +++ b/services/cameraservice/cameraoperator/client/include/listener/dcamera_photo_surface_listener.h @@ -30,6 +30,7 @@ public: private: sptr surface_; std::shared_ptr callback_; + const int32_t SURFACE_BUFFER_MAX_SIZE = 10 * 1024 * 1024; }; } // namespace DistributedHardware } // namespace OHOS diff --git a/services/cameraservice/cameraoperator/client/include/listener/dcamera_video_surface_listener.h b/services/cameraservice/cameraoperator/client/include/listener/dcamera_video_surface_listener.h index 6e06a7e1..cb33b642 100644 --- a/services/cameraservice/cameraoperator/client/include/listener/dcamera_video_surface_listener.h +++ b/services/cameraservice/cameraoperator/client/include/listener/dcamera_video_surface_listener.h @@ -30,6 +30,7 @@ public: private: sptr surface_; std::shared_ptr callback_; + const int32_t SURFACE_BUFFER_MAX_SIZE = 10 * 1024 * 1024; }; } // namespace DistributedHardware } // namespace OHOS diff --git a/services/cameraservice/cameraoperator/client/src/listener/dcamera_photo_surface_listener.cpp b/services/cameraservice/cameraoperator/client/src/listener/dcamera_photo_surface_listener.cpp index b6de33da..8dd8a488 100644 --- a/services/cameraservice/cameraoperator/client/src/listener/dcamera_photo_surface_listener.cpp +++ b/services/cameraservice/cameraoperator/client/src/listener/dcamera_photo_surface_listener.cpp @@ -53,7 +53,7 @@ void DCameraPhotoSurfaceListener::OnBufferAvailable() if (size <= 0) { size = static_cast(buffer->GetSize()); } - if ((address == nullptr) || (size <= 0)) { + if ((address == nullptr) || (size <= 0) || (size > SURFACE_BUFFER_MAX_SIZE)) { DHLOGE("DCameraPhotoSurfaceListener invalid params, size: %d", size); break; } diff --git a/services/cameraservice/cameraoperator/client/src/listener/dcamera_photo_surface_listener_common.cpp b/services/cameraservice/cameraoperator/client/src/listener/dcamera_photo_surface_listener_common.cpp index 89a8690c..d94e4687 100644 --- a/services/cameraservice/cameraoperator/client/src/listener/dcamera_photo_surface_listener_common.cpp +++ b/services/cameraservice/cameraoperator/client/src/listener/dcamera_photo_surface_listener_common.cpp @@ -52,9 +52,8 @@ void DCameraPhotoSurfaceListener::OnBufferAvailable() if (size <= 0) { size = static_cast(buffer->GetSize()); } - char *address = static_cast(buffer->GetVirAddr()); - if ((address == nullptr) || (size <= 0)) { + if ((address == nullptr) || (size <= 0) || (size > SURFACE_BUFFER_MAX_SIZE)) { DHLOGE("DCameraPhotoSurfaceListenerCommon invalid params, size: %d", size); break; } diff --git a/services/cameraservice/cameraoperator/client/src/listener/dcamera_video_surface_listener.cpp b/services/cameraservice/cameraoperator/client/src/listener/dcamera_video_surface_listener.cpp index 241d9284..f937b343 100644 --- a/services/cameraservice/cameraoperator/client/src/listener/dcamera_video_surface_listener.cpp +++ b/services/cameraservice/cameraoperator/client/src/listener/dcamera_video_surface_listener.cpp @@ -50,7 +50,7 @@ void DCameraVideoSurfaceListener::OnBufferAvailable() int32_t height = buffer->GetHeight(); int32_t size = buffer->GetSize(); char *address = static_cast(buffer->GetVirAddr()); - if ((address == nullptr) || (size <= 0) || (width <= 0) || (height <= 0)) { + if ((address == nullptr) || (size <= 0) || (width <= 0) || (height <= 0) || (size > SURFACE_BUFFER_MAX_SIZE)) { DHLOGE("DCameraVideoSurfaceListener invalid params, width: %d, height: %d, size: %d", width, height, size); break; } diff --git a/services/cameraservice/cameraoperator/client/src/listener/dcamera_video_surface_listener_common.cpp b/services/cameraservice/cameraoperator/client/src/listener/dcamera_video_surface_listener_common.cpp index 5408dd7a..c18db05f 100644 --- a/services/cameraservice/cameraoperator/client/src/listener/dcamera_video_surface_listener_common.cpp +++ b/services/cameraservice/cameraoperator/client/src/listener/dcamera_video_surface_listener_common.cpp @@ -50,8 +50,8 @@ void DCameraVideoSurfaceListener::OnBufferAvailable() int32_t height = buffer->GetHeight(); int32_t size = width * height * 4; char *address = static_cast(buffer->GetVirAddr()); - if ((address == nullptr) || (size <= 0)) { - DHLOGE("DCameraVideoSurfaceListenerCommon invalid params, size: %d", size); + if ((address == nullptr) || (size <= 0) || (size > SURFACE_BUFFER_MAX_SIZE)) { + DHLOGE("DCameraVideoSurfaceListenerCommon invalid params, width: %d, height: %d, size: %d", width, height, size); break; } diff --git a/services/cameraservice/sinkservice/include/distributedcamera/distributed_camera_sink_stub.h b/services/cameraservice/sinkservice/include/distributedcamera/distributed_camera_sink_stub.h index 3f31c97c..b2c2d1eb 100644 --- a/services/cameraservice/sinkservice/include/distributedcamera/distributed_camera_sink_stub.h +++ b/services/cameraservice/sinkservice/include/distributedcamera/distributed_camera_sink_stub.h @@ -42,6 +42,9 @@ private: using DCameraFunc = int32_t (DistributedCameraSinkStub::*)(MessageParcel &data, MessageParcel &reply); std::map memberFuncMap_; + + const size_t DID_MAX_SIZE = 256; + const size_t PARAM_MAX_SIZE = 50 * 1024 * 1024; }; } // namespace DistributedHardware } // namespace OHOS diff --git a/services/cameraservice/sinkservice/include/distributedcameramgr/dcamera_sink_controller.h b/services/cameraservice/sinkservice/include/distributedcameramgr/dcamera_sink_controller.h index 9b52949f..80d9e6b8 100644 --- a/services/cameraservice/sinkservice/include/distributedcameramgr/dcamera_sink_controller.h +++ b/services/cameraservice/sinkservice/include/distributedcameramgr/dcamera_sink_controller.h @@ -79,6 +79,7 @@ private: const std::string SESSION_FLAG = "control"; const std::string SRC_TYPE = "camera"; + const size_t DATABUFF_MAX_SIZE = 100 * 1024 * 1024; }; } // namespace DistributedHardware } // namespace OHOS diff --git a/services/cameraservice/sinkservice/src/distributedcamera/distributed_camera_sink_stub.cpp b/services/cameraservice/sinkservice/src/distributedcamera/distributed_camera_sink_stub.cpp index fe7ef955..385f281f 100644 --- a/services/cameraservice/sinkservice/src/distributedcamera/distributed_camera_sink_stub.cpp +++ b/services/cameraservice/sinkservice/src/distributedcamera/distributed_camera_sink_stub.cpp @@ -57,8 +57,16 @@ int32_t DistributedCameraSinkStub::OnRemoteRequest(uint32_t code, MessageParcel int32_t DistributedCameraSinkStub::InitSinkInner(MessageParcel &data, MessageParcel &reply) { DHLOGD("DistributedCameraSinkStub::InitSinkInner"); - std::string params = data.ReadString(); - int32_t ret = InitSink(params); + int32_t ret = DCAMERA_OK; + do { + std::string params = data.ReadString(); + if (params.empty() || params.size() > PARAM_MAX_SIZE) { + DHLOGE("DistributedCameraSinkStub::InitSinkInner params is invalid"); + ret = DCAMERA_BAD_VALUE; + break; + } + ret = InitSink(params); + } while (0); reply.WriteInt32(ret); return DCAMERA_OK; } @@ -74,9 +82,18 @@ int32_t DistributedCameraSinkStub::ReleaseSinkInner(MessageParcel &data, Message int32_t DistributedCameraSinkStub::SubscribeLocalHardwareInner(MessageParcel &data, MessageParcel &reply) { DHLOGD("DistributedCameraSinkStub::SubscribeLocalHardwareInner"); - std::string dhId = data.ReadString(); - std::string parameters = data.ReadString(); - int32_t ret = SubscribeLocalHardware(dhId, parameters); + int32_t ret = DCAMERA_OK; + do { + std::string dhId = data.ReadString(); + std::string parameters = data.ReadString(); + if (parameters.empty() || parameters.size() > PARAM_MAX_SIZE || dhId.empty() || + dhId.size() > DID_MAX_SIZE) { + DHLOGE("DistributedCameraSinkStub::SubscribeLocalHardwareInner params is invalid"); + ret = DCAMERA_BAD_VALUE; + break; + } + ret = SubscribeLocalHardware(dhId, parameters); + } while (0); reply.WriteInt32(ret); return DCAMERA_OK; } @@ -84,8 +101,16 @@ int32_t DistributedCameraSinkStub::SubscribeLocalHardwareInner(MessageParcel &da int32_t DistributedCameraSinkStub::UnsubscribeLocalHardwareInner(MessageParcel &data, MessageParcel &reply) { DHLOGD("DistributedCameraSinkStub::UnsubscribeLocalHardwareInner"); - std::string dhId = data.ReadString(); - int32_t ret = UnsubscribeLocalHardware(dhId); + int32_t ret = DCAMERA_OK; + do { + std::string dhId = data.ReadString(); + if (dhId.empty() || dhId.size() > DID_MAX_SIZE) { + DHLOGE("DistributedCameraSinkStub::UnsubscribeLocalHardwareInner params is invalid"); + ret = DCAMERA_BAD_VALUE; + break; + } + ret = UnsubscribeLocalHardware(dhId); + } while (0); reply.WriteInt32(ret); return DCAMERA_OK; } @@ -93,8 +118,16 @@ int32_t DistributedCameraSinkStub::UnsubscribeLocalHardwareInner(MessageParcel & int32_t DistributedCameraSinkStub::StopCaptureInner(MessageParcel &data, MessageParcel &reply) { DHLOGD("DistributedCameraSinkStub::StopCaptureInner"); - std::string dhId = data.ReadString(); - int32_t ret = StopCapture(dhId); + int32_t ret = DCAMERA_OK; + do { + std::string dhId = data.ReadString(); + if (dhId.empty() || dhId.size() > DID_MAX_SIZE) { + DHLOGE("DistributedCameraSinkStub::StopCaptureInner params is invalid"); + ret = DCAMERA_BAD_VALUE; + break; + } + ret = StopCapture(dhId); + } while (0); reply.WriteInt32(ret); return DCAMERA_OK; } @@ -102,9 +135,18 @@ int32_t DistributedCameraSinkStub::StopCaptureInner(MessageParcel &data, Message int32_t DistributedCameraSinkStub::ChannelNegInner(MessageParcel &data, MessageParcel &reply) { DHLOGD("DistributedCameraSinkStub::ChannelNegInner"); - std::string dhId = data.ReadString(); - std::string channelInfo = data.ReadString(); - int32_t ret = ChannelNeg(dhId, channelInfo); + int32_t ret = DCAMERA_OK; + do { + std::string dhId = data.ReadString(); + std::string channelInfo = data.ReadString(); + if (dhId.empty() || dhId.size() > DID_MAX_SIZE || channelInfo.empty() || + channelInfo.size() > PARAM_MAX_SIZE) { + DHLOGE("DistributedCameraSinkStub::ChannelNegInner params is invalid"); + ret = DCAMERA_BAD_VALUE; + break; + } + ret = ChannelNeg(dhId, channelInfo); + } while (0); reply.WriteInt32(ret); return DCAMERA_OK; } @@ -112,9 +154,18 @@ int32_t DistributedCameraSinkStub::ChannelNegInner(MessageParcel &data, MessageP int32_t DistributedCameraSinkStub::GetCameraInfoInner(MessageParcel &data, MessageParcel &reply) { DHLOGD("DistributedCameraSinkStub::GetCameraInfoInner"); - std::string dhId = data.ReadString(); - std::string cameraInfo = data.ReadString(); - int32_t ret = GetCameraInfo(dhId, cameraInfo); + int32_t ret = DCAMERA_OK; + do { + std::string dhId = data.ReadString(); + std::string cameraInfo = data.ReadString(); + if (dhId.empty() || dhId.size() > DID_MAX_SIZE || cameraInfo.empty() || + cameraInfo.size() > PARAM_MAX_SIZE) { + DHLOGE("DistributedCameraSinkStub::GetCameraInfoInner params is invalid"); + ret = DCAMERA_BAD_VALUE; + break; + } + ret = GetCameraInfo(dhId, cameraInfo); + } while (0); reply.WriteInt32(ret); return DCAMERA_OK; } @@ -122,9 +173,18 @@ int32_t DistributedCameraSinkStub::GetCameraInfoInner(MessageParcel &data, Messa int32_t DistributedCameraSinkStub::OpenChannelInner(MessageParcel &data, MessageParcel &reply) { DHLOGD("DistributedCameraSinkStub::OpenChannelInner"); - std::string dhId = data.ReadString(); - std::string openInfo = data.ReadString(); - int32_t ret = OpenChannel(dhId, openInfo); + int32_t ret = DCAMERA_OK; + do { + std::string dhId = data.ReadString(); + std::string openInfo = data.ReadString(); + if (dhId.empty() || dhId.size() > DID_MAX_SIZE || openInfo.empty()|| + openInfo.size() > PARAM_MAX_SIZE) { + DHLOGE("DistributedCameraSinkStub::OpenChannelInner params is invalid"); + ret = DCAMERA_BAD_VALUE; + break; + } + ret = OpenChannel(dhId, openInfo); + } while (0); reply.WriteInt32(ret); return DCAMERA_OK; } @@ -132,8 +192,16 @@ int32_t DistributedCameraSinkStub::OpenChannelInner(MessageParcel &data, Message int32_t DistributedCameraSinkStub::CloseChannelInner(MessageParcel &data, MessageParcel &reply) { DHLOGD("DistributedCameraSinkStub::CloseChannelInner"); - std::string dhId = data.ReadString(); - int32_t ret = CloseChannel(dhId); + int32_t ret = DCAMERA_OK; + do { + std::string dhId = data.ReadString(); + if (dhId.empty() || dhId.size() > DID_MAX_SIZE) { + DHLOGE("DistributedCameraSinkStub::CloseChannelInner params is invalid"); + ret = DCAMERA_BAD_VALUE; + break; + } + ret = CloseChannel(dhId); + } while (0); reply.WriteInt32(ret); return DCAMERA_OK; } diff --git a/services/cameraservice/sinkservice/src/distributedcameramgr/dcamera_sink_controller.cpp b/services/cameraservice/sinkservice/src/distributedcameramgr/dcamera_sink_controller.cpp index 2f13d07f..10d07034 100644 --- a/services/cameraservice/sinkservice/src/distributedcameramgr/dcamera_sink_controller.cpp +++ b/services/cameraservice/sinkservice/src/distributedcameramgr/dcamera_sink_controller.cpp @@ -401,6 +401,10 @@ void DCameraSinkController::OnDataReceived(std::vectorSize() <= 0 || buffer->Size() > DATABUFF_MAX_SIZE) { + DHLOGI("DCameraSinkController::OnDataReceived buffer is invalid"); + return; + } HandleReceivedData(buffer); } } diff --git a/services/data_process/include/pipeline_node/multimedia_codec/encoder/encode_data_process.h b/services/data_process/include/pipeline_node/multimedia_codec/encoder/encode_data_process.h index a7e9275d..46eea982 100644 --- a/services/data_process/include/pipeline_node/multimedia_codec/encoder/encode_data_process.h +++ b/services/data_process/include/pipeline_node/multimedia_codec/encoder/encode_data_process.h @@ -87,6 +87,7 @@ private: constexpr static int32_t MAX_VIDEO_HEIGHT = 1080; constexpr static int32_t IDR_FRAME_INTERVAL_MS = 300; constexpr static int32_t FIRST_FRAME_OUTPUT_NUM = 2; + const int32_t DATABUFF_MAX_SIZE = 100 * 1024 * 1024; constexpr static int64_t WIDTH_320_HEIGHT_240 = 320 * 240; constexpr static int64_t WIDTH_480_HEIGHT_360 = 480 * 360; diff --git a/services/data_process/src/pipeline_node/multimedia_codec/encoder/encode_data_process.cpp b/services/data_process/src/pipeline_node/multimedia_codec/encoder/encode_data_process.cpp index c9d0e265..0c13513a 100644 --- a/services/data_process/src/pipeline_node/multimedia_codec/encoder/encode_data_process.cpp +++ b/services/data_process/src/pipeline_node/multimedia_codec/encoder/encode_data_process.cpp @@ -485,7 +485,7 @@ int32_t EncodeDataProcess::GetEncoderOutputBuffer(uint32_t index, Media::AVCodec return DCAMERA_BAD_OPERATE; } - if (info.size <= 0) { + if (info.size <= 0 || info.size > DATABUFF_MAX_SIZE) { DHLOGE("AVCodecBufferInfo error, buffer size : %d", info.size); return DCAMERA_BAD_VALUE; } diff --git a/services/data_process/src/pipeline_node/multimedia_codec/encoder/encode_data_process_common.cpp b/services/data_process/src/pipeline_node/multimedia_codec/encoder/encode_data_process_common.cpp index c95f53ca..c11b9436 100644 --- a/services/data_process/src/pipeline_node/multimedia_codec/encoder/encode_data_process_common.cpp +++ b/services/data_process/src/pipeline_node/multimedia_codec/encoder/encode_data_process_common.cpp @@ -442,7 +442,7 @@ int32_t EncodeDataProcess::GetEncoderOutputBuffer(uint32_t index, Media::AVCodec return DCAMERA_BAD_OPERATE; } - if (info.size <= 0) { + if (info.size <= 0 || info.size > DATABUFF_MAX_SIZE) { DHLOGE("AVCodecBufferInfo error, buffer size : %d", info.size); return DCAMERA_BAD_VALUE; } -- Gitee From a452823ebf55e131c882a8cbdd4e03796696fcbc Mon Sep 17 00:00:00 2001 From: chen0088 Date: Thu, 22 Sep 2022 16:09:02 +0800 Subject: [PATCH 2/2] fix: add exception check Signed-off-by: chen0088 --- .../callback/dcamera_source_callback_stub.h | 4 + .../include/distributed_camera_source_proxy.h | 7 ++ .../callback/dcamera_source_callback_stub.cpp | 25 ++++++ .../src/distributed_camera_source_proxy.cpp | 67 ++++++++++++++ .../client/src/dcamera_client.cpp | 5 +- .../distributed_camera_sink_service.h | 1 + .../dcamera_sink_hidumper.cpp | 7 +- .../distributed_camera_sink_service.cpp | 4 + .../dcamera_source_callback_proxy.h | 5 ++ .../distributed_camera_source_service.h | 2 + .../distributed_camera_source_stub.h | 6 ++ .../dcamera_provider_callback_impl.h | 8 ++ .../dcamera_source_callback_proxy.cpp | 23 +++++ .../dcamera_source_hidumper.cpp | 7 +- .../distributed_camera_source_service.cpp | 8 ++ .../distributed_camera_source_stub.cpp | 71 +++++++++++++++ .../dcamera_provider_callback_impl.cpp | 87 +++++++++++++++++++ .../channel/src/dcamera_softbus_session.cpp | 1 + 18 files changed, 329 insertions(+), 9 deletions(-) diff --git a/interfaces/inner_kits/native_cpp/camera_source/include/callback/dcamera_source_callback_stub.h b/interfaces/inner_kits/native_cpp/camera_source/include/callback/dcamera_source_callback_stub.h index 08e85f91..40ecb773 100644 --- a/interfaces/inner_kits/native_cpp/camera_source/include/callback/dcamera_source_callback_stub.h +++ b/interfaces/inner_kits/native_cpp/camera_source/include/callback/dcamera_source_callback_stub.h @@ -36,9 +36,13 @@ public: private: int32_t NotifyRegResultInner(MessageParcel &data, MessageParcel &reply); int32_t NotifyUnregResultInner(MessageParcel &data, MessageParcel &reply); + bool CheckParams(const std::string& devId, const std::string& dhId, const std::string& reqId, + const std::string& result); using DCameraFunc = int32_t (DCameraSourceCallbackStub::*)(MessageParcel &data, MessageParcel &reply); std::map memberFuncMap_; + const size_t PARAM_MAX_SIZE = 50 * 1024 * 1024; + const size_t DID_MAX_SIZE = 256; }; } // namespace DistributedHardware } // namespace OHOS diff --git a/interfaces/inner_kits/native_cpp/camera_source/include/distributed_camera_source_proxy.h b/interfaces/inner_kits/native_cpp/camera_source/include/distributed_camera_source_proxy.h index f08f2764..356735e0 100644 --- a/interfaces/inner_kits/native_cpp/camera_source/include/distributed_camera_source_proxy.h +++ b/interfaces/inner_kits/native_cpp/camera_source/include/distributed_camera_source_proxy.h @@ -43,7 +43,14 @@ public: int32_t DCameraNotify(const std::string& devId, const std::string& dhId, std::string& events) override; private: + bool CheckRegParams(const std::string& devId, const std::string& dhId, + const std::string& reqId, const EnableParam& param); + bool CheckUnregParams(const std::string& devId, const std::string& dhId, const std::string& reqId); + bool CheckNotifyParams(const std::string& devId, const std::string& dhId, std::string& events); + static inline BrokerDelegator delegator_; + const size_t PARAM_MAX_SIZE = 50 * 1024 * 1024; + const size_t DID_MAX_SIZE = 256; }; } // namespace DistributedHardware } // namespace OHOS diff --git a/interfaces/inner_kits/native_cpp/camera_source/src/callback/dcamera_source_callback_stub.cpp b/interfaces/inner_kits/native_cpp/camera_source/src/callback/dcamera_source_callback_stub.cpp index 29ffc0eb..ab6cfa71 100644 --- a/interfaces/inner_kits/native_cpp/camera_source/src/callback/dcamera_source_callback_stub.cpp +++ b/interfaces/inner_kits/native_cpp/camera_source/src/callback/dcamera_source_callback_stub.cpp @@ -61,6 +61,11 @@ int32_t DCameraSourceCallbackStub::NotifyRegResultInner(MessageParcel &data, Mes std::string reqId = data.ReadString(); int32_t status = data.ReadInt32(); std::string result = data.ReadString(); + if (!CheckParams(devId, dhId, reqId, result)) { + DHLOGE("DCameraSourceCallbackStub NotifyRegResultInner input is invalid"); + ret = DCAMERA_BAD_VALUE; + break; + } ret = OnNotifyRegResult(devId, dhId, reqId, status, result); } while (0); reply.WriteInt32(ret); @@ -77,10 +82,30 @@ int32_t DCameraSourceCallbackStub::NotifyUnregResultInner(MessageParcel &data, M std::string reqId = data.ReadString(); int32_t status = data.ReadInt32(); std::string result = data.ReadString(); + if (!CheckParams(devId, dhId, reqId, result)) { + DHLOGE("DCameraSourceCallbackStub NotifyUnregResultInner input is invalid"); + ret = DCAMERA_BAD_VALUE; + break; + } ret = OnNotifyUnregResult(devId, dhId, reqId, status, result); } while (0); reply.WriteInt32(ret); return DCAMERA_OK; } + +bool DCameraSourceCallbackStub::CheckParams(const std::string& devId, const std::string& dhId, const std::string& reqId, + const std::string& result) +{ + if (devId.empty() || devId.size() > DID_MAX_SIZE || dhId.empty() || dhId.size() > DID_MAX_SIZE) { + DHLOGE("DCameraSourceCallbackStub CheckParams devId or dhId is invalid"); + return false; + } + + if (reqId.empty() || reqId.size() > DID_MAX_SIZE || result.size() > PARAM_MAX_SIZE) { + DHLOGE("DCameraSourceCallbackStub CheckParams reqId or result is invalid"); + return false; + } + return true; +} } // namespace DistributedHardware } // namespace OHOS diff --git a/interfaces/inner_kits/native_cpp/camera_source/src/distributed_camera_source_proxy.cpp b/interfaces/inner_kits/native_cpp/camera_source/src/distributed_camera_source_proxy.cpp index 735fad7e..9d284821 100644 --- a/interfaces/inner_kits/native_cpp/camera_source/src/distributed_camera_source_proxy.cpp +++ b/interfaces/inner_kits/native_cpp/camera_source/src/distributed_camera_source_proxy.cpp @@ -28,6 +28,10 @@ int32_t DistributedCameraSourceProxy::InitSource(const std::string& params, const sptr& callback) { DHLOGI("DistributedCameraSourceProxy InitSource"); + if (params.empty() || params.size() > PARAM_MAX_SIZE) { + DHLOGE("DistributedCameraSourceProxy InitSource params is invalid"); + return DCAMERA_BAD_VALUE; + } sptr remote = Remote(); if (remote == nullptr) { DHLOGE("DistributedCameraSourceProxy remote service null"); @@ -81,6 +85,10 @@ int32_t DistributedCameraSourceProxy::RegisterDistributedHardware(const std::str { DHLOGI("DistributedCameraSourceProxy RegisterDistributedHardware devId: %s dhId: %s", GetAnonyString(devId).c_str(), GetAnonyString(dhId).c_str()); + if (!CheckRegParams(devId, dhId, reqId, param)) { + DHLOGE("DistributedCameraSourceProxy RegisterDistributedHardware input is invalid"); + return DCAMERA_BAD_VALUE; + } sptr remote = Remote(); if (remote == nullptr) { DHLOGE("DistributedCameraSourceProxy remote service null"); @@ -104,11 +112,36 @@ int32_t DistributedCameraSourceProxy::RegisterDistributedHardware(const std::str return result; } +bool DistributedCameraSourceProxy::CheckRegParams(const std::string& devId, const std::string& dhId, + const std::string& reqId, const EnableParam& param) +{ + if (devId.empty() || devId.size() > DID_MAX_SIZE || dhId.empty() || dhId.size() > DID_MAX_SIZE) { + DHLOGE("DistributedCameraSourceProxy CheckRegParams devId or dhId is invalid"); + return false; + } + + if (reqId.empty() || reqId.size() > DID_MAX_SIZE) { + DHLOGE("DistributedCameraSourceProxy CheckRegParams reqId is invalid"); + return false; + } + + if (param.version.empty() || param.version.size() > PARAM_MAX_SIZE || + param.attrs.empty() || param.attrs.size() > PARAM_MAX_SIZE) { + DHLOGE("DistributedCameraSourceProxy CheckRegParams param is invalid"); + return false; + } + return true; +} + int32_t DistributedCameraSourceProxy::UnregisterDistributedHardware(const std::string& devId, const std::string& dhId, const std::string& reqId) { DHLOGI("DistributedCameraSourceProxy UnregisterDistributedHardware devId: %s dhId: %s", GetAnonyString(devId).c_str(), GetAnonyString(dhId).c_str()); + if (!CheckUnregParams(devId, dhId, reqId)) { + DHLOGE("DistributedCameraSourceProxy UnregisterDistributedHardware input is invalid"); + return DCAMERA_BAD_VALUE; + } sptr remote = Remote(); if (remote == nullptr) { DHLOGE("DistributedCameraSourceProxy remote service null"); @@ -131,11 +164,30 @@ int32_t DistributedCameraSourceProxy::UnregisterDistributedHardware(const std::s return result; } +bool DistributedCameraSourceProxy::CheckUnregParams(const std::string& devId, const std::string& dhId, + const std::string& reqId) +{ + if (devId.empty() || devId.size() > DID_MAX_SIZE || dhId.empty() || dhId.size() > DID_MAX_SIZE) { + DHLOGE("DistributedCameraSourceProxy CheckUnregParams devId or dhId is invalid"); + return false; + } + + if (reqId.empty() || reqId.size() > DID_MAX_SIZE) { + DHLOGE("DistributedCameraSourceProxy CheckUnregParams reqId is invalid"); + return false; + } + return true; +} + int32_t DistributedCameraSourceProxy::DCameraNotify(const std::string& devId, const std::string& dhId, std::string& events) { DHLOGI("DCameraNotify devId: %s dhId: %s events: %s", GetAnonyString(devId).c_str(), GetAnonyString(dhId).c_str(), events.c_str()); + if (!CheckNotifyParams(devId, dhId, events)) { + DHLOGE("DistributedCameraSourceProxy DCameraNotify input is invalid"); + return DCAMERA_BAD_VALUE; + } sptr remote = Remote(); if (remote == nullptr) { DHLOGE("DistributedCameraSourceProxy remote service null"); @@ -157,5 +209,20 @@ int32_t DistributedCameraSourceProxy::DCameraNotify(const std::string& devId, co int32_t result = reply.ReadInt32(); return result; } + +bool DistributedCameraSourceProxy::CheckNotifyParams(const std::string& devId, const std::string& dhId, + std::string& events) +{ + if (devId.empty() || devId.size() > DID_MAX_SIZE || dhId.empty() || dhId.size() > DID_MAX_SIZE) { + DHLOGE("DistributedCameraSourceProxy CheckNotifyParams devId or dhId is invalid"); + return false; + } + + if (events.empty() || events.size() > PARAM_MAX_SIZE) { + DHLOGE("DistributedCameraSourceProxy CheckNotifyParams events is invalid"); + return false; + } + return true; +} } // namespace DistributedHardware } // namespace OHOS diff --git a/services/cameraservice/cameraoperator/client/src/dcamera_client.cpp b/services/cameraservice/cameraoperator/client/src/dcamera_client.cpp index bd8b44ad..84f94373 100644 --- a/services/cameraservice/cameraoperator/client/src/dcamera_client.cpp +++ b/services/cameraservice/cameraoperator/client/src/dcamera_client.cpp @@ -564,9 +564,8 @@ void DCameraClient::SetPhotoCaptureLocation(const std::shared_ptrlongitude = item.data.d[longitudeIndex]; location->altitude = item.data.d[altitudeIndex]; photoCaptureSetting->SetLocation(location); - DHLOGI("DCameraClient::SetPhotoCaptureLocation %s photo capture settings set %d location: " + - "latitude=%f, longitude=%f, altitude=%f", GetAnonyString(cameraId_).c_str(), item.count, - item.data.d[latitudeIndex], item.data.d[longitudeIndex], item.data.d[altitudeIndex]); + DHLOGI("DCameraClient::SetPhotoCaptureLocation %s photo capture settings set %d location success" , + GetAnonyString(cameraId_).c_str(), item.count); } } diff --git a/services/cameraservice/sinkservice/include/distributedcamera/distributed_camera_sink_service.h b/services/cameraservice/sinkservice/include/distributedcamera/distributed_camera_sink_service.h index 40f5d4db..2222c4fc 100644 --- a/services/cameraservice/sinkservice/include/distributedcamera/distributed_camera_sink_service.h +++ b/services/cameraservice/sinkservice/include/distributedcamera/distributed_camera_sink_service.h @@ -59,6 +59,7 @@ private: std::string sinkVer_; std::map> camerasMap_; static DistributedCameraSinkService* dcSinkService; + const size_t DUMP_MAX_SIZE = 10 * 1024; }; } // namespace DistributedHardware } // namespace OHOS diff --git a/services/cameraservice/sinkservice/src/distributedcamera/dcamera_sink_hidumper.cpp b/services/cameraservice/sinkservice/src/distributedcamera/dcamera_sink_hidumper.cpp index 06b08a54..4ab38912 100644 --- a/services/cameraservice/sinkservice/src/distributedcamera/dcamera_sink_hidumper.cpp +++ b/services/cameraservice/sinkservice/src/distributedcamera/dcamera_sink_hidumper.cpp @@ -47,9 +47,6 @@ bool DcameraSinkHidumper::Dump(const std::vector& args, std::string DHLOGI("DcameraSinkHidumper Dump args.size():%d.", args.size()); result.clear(); int32_t argsSize = static_cast(args.size()); - for (int32_t i = 0; i < argsSize; i++) { - DHLOGI("DcameraSinkHidumper Dump args[%d]: %s.", i, args.at(i).c_str()); - } if (args.empty()) { ShowHelp(result); @@ -59,6 +56,10 @@ bool DcameraSinkHidumper::Dump(const std::vector& args, std::string return true; } + for (int32_t i = 0; i < argsSize; i++) { + DHLOGI("DcameraSinkHidumper Dump args[%d]: %s.", i, args.at(i).c_str()); + } + if (ProcessDump(args[0], result) != DCAMERA_OK) { return false; } diff --git a/services/cameraservice/sinkservice/src/distributedcamera/distributed_camera_sink_service.cpp b/services/cameraservice/sinkservice/src/distributedcamera/distributed_camera_sink_service.cpp index 1ae84ce7..7403f730 100644 --- a/services/cameraservice/sinkservice/src/distributedcamera/distributed_camera_sink_service.cpp +++ b/services/cameraservice/sinkservice/src/distributedcamera/distributed_camera_sink_service.cpp @@ -266,6 +266,10 @@ int32_t DistributedCameraSinkService::CloseChannel(const std::string& dhId) int DistributedCameraSinkService::Dump(int32_t fd, const std::vector& args) { DHLOGI("DistributedCameraSinkService Dump."); + if (args.size() > DUMP_MAX_SIZE) { + DHLOGE("DistributedCameraSinkService Dump input is invalid"); + return DCAMERA_BAD_VALUE; + } std::string result; std::vector argsStr; for (auto item : args) { diff --git a/services/cameraservice/sourceservice/include/distributedcamera/dcamera_source_callback_proxy.h b/services/cameraservice/sourceservice/include/distributedcamera/dcamera_source_callback_proxy.h index fa9dcbef..1df2535f 100644 --- a/services/cameraservice/sourceservice/include/distributedcamera/dcamera_source_callback_proxy.h +++ b/services/cameraservice/sourceservice/include/distributedcamera/dcamera_source_callback_proxy.h @@ -37,7 +37,12 @@ public: int32_t OnNotifyUnregResult(const std::string& devId, const std::string& dhId, const std::string& reqId, int32_t status, std::string& data) override; private: + bool CheckParams(const std::string& devId, const std::string& dhId, + const std::string& reqId, std::string& data); + static inline BrokerDelegator delegator_; + const size_t PARAM_MAX_SIZE = 50 * 1024 * 1024; + const size_t DID_MAX_SIZE = 256; }; } // namespace DistributedHardware } // namespace OHOS diff --git a/services/cameraservice/sourceservice/include/distributedcamera/distributed_camera_source_service.h b/services/cameraservice/sourceservice/include/distributedcamera/distributed_camera_source_service.h index 52d6bba9..8da2db80 100644 --- a/services/cameraservice/sourceservice/include/distributedcamera/distributed_camera_source_service.h +++ b/services/cameraservice/sourceservice/include/distributedcamera/distributed_camera_source_service.h @@ -67,6 +67,8 @@ private: std::shared_ptr listener_; std::string sourceVer_; + const size_t MAX_CAMERAS_NUMBER = 32; + const size_t DUMP_MAX_SIZE = 10 * 1024; }; } // namespace DistributedHardware } // namespace OHOS diff --git a/services/cameraservice/sourceservice/include/distributedcamera/distributed_camera_source_stub.h b/services/cameraservice/sourceservice/include/distributedcamera/distributed_camera_source_stub.h index 1951816d..7b34b303 100644 --- a/services/cameraservice/sourceservice/include/distributedcamera/distributed_camera_source_stub.h +++ b/services/cameraservice/sourceservice/include/distributedcamera/distributed_camera_source_stub.h @@ -35,9 +35,15 @@ private: int32_t RegisterDistributedHardwareInner(MessageParcel &data, MessageParcel &reply); int32_t UnregisterDistributedHardwareInner(MessageParcel &data, MessageParcel &reply); int32_t DCameraNotifyInner(MessageParcel &data, MessageParcel &reply); + bool CheckRegParams(const std::string& devId, const std::string& dhId, + const std::string& reqId, const EnableParam& param); + bool CheckUnregParams(const std::string& devId, const std::string& dhId, const std::string& reqId); + bool CheckNotifyParams(const std::string& devId, const std::string& dhId, std::string& events); using DCameraFunc = int32_t (DistributedCameraSourceStub::*)(MessageParcel &data, MessageParcel &reply); std::map memberFuncMap_; + const size_t PARAM_MAX_SIZE = 50 * 1024 * 1024; + const size_t DID_MAX_SIZE = 256; }; } // namespace DistributedHardware } // namespace OHOS diff --git a/services/cameraservice/sourceservice/include/distributedcameramgr/dcamerahdf/dcamera_provider_callback_impl.h b/services/cameraservice/sourceservice/include/distributedcameramgr/dcamerahdf/dcamera_provider_callback_impl.h index a373ee63..9a62703d 100644 --- a/services/cameraservice/sourceservice/include/distributedcameramgr/dcamerahdf/dcamera_provider_callback_impl.h +++ b/services/cameraservice/sourceservice/include/distributedcameramgr/dcamerahdf/dcamera_provider_callback_impl.h @@ -36,9 +36,17 @@ public: int32_t UpdateSettings(const DHBase& dhBase, const std::vector& settings) override; private: + bool CheckDHBase(const DHBase& dhBase); + bool CheckStreamInfo(const DCStreamInfo& stream); + bool CheckCaptureInfo(const DCCaptureInfo& captureInfo); + std::string devId_; std::string dhId_; std::weak_ptr sourceDev_; + const size_t PARAM_MAX_SIZE = 50 * 1024 * 1024; + const size_t DID_MAX_SIZE = 256; + const int32_t RESOLUTION_MAX_WIDTH = 10000; + const int32_t RESOLUTION_MAX_HEIGHT = 10000; }; } // namespace DistributedHardware } // namespace OHOS diff --git a/services/cameraservice/sourceservice/src/distributedcamera/dcamera_source_callback_proxy.cpp b/services/cameraservice/sourceservice/src/distributedcamera/dcamera_source_callback_proxy.cpp index 3bf4f8da..dee397ca 100644 --- a/services/cameraservice/sourceservice/src/distributedcamera/dcamera_source_callback_proxy.cpp +++ b/services/cameraservice/sourceservice/src/distributedcamera/dcamera_source_callback_proxy.cpp @@ -26,6 +26,10 @@ namespace DistributedHardware { int32_t DCameraSourceCallbackProxy::OnNotifyRegResult(const std::string& devId, const std::string& dhId, const std::string& reqId, int32_t status, std::string& data) { + if (!CheckParams(devId, dhId, reqId, data)) { + DHLOGE("DCameraSourceCallbackProxy OnNotifyRegResult input is invalid"); + return DCAMERA_BAD_VALUE; + } sptr remote = Remote(); if (remote == nullptr) { DHLOGE("DCameraSourceCallbackProxy remote service null"); @@ -52,6 +56,10 @@ int32_t DCameraSourceCallbackProxy::OnNotifyRegResult(const std::string& devId, int32_t DCameraSourceCallbackProxy::OnNotifyUnregResult(const std::string& devId, const std::string& dhId, const std::string& reqId, int32_t status, std::string& data) { + if (!CheckParams(devId, dhId, reqId, data)) { + DHLOGE("DCameraSourceCallbackProxy OnNotifyUnregResult input is invalid"); + return DCAMERA_BAD_VALUE; + } sptr remote = Remote(); if (remote == nullptr) { DHLOGE("DCameraSourceCallbackProxy remote service null"); @@ -74,5 +82,20 @@ int32_t DCameraSourceCallbackProxy::OnNotifyUnregResult(const std::string& devId int32_t result = reply.ReadInt32(); return result; } + +bool DCameraSourceCallbackProxy::CheckParams(const std::string& devId, const std::string& dhId, + const std::string& reqId, std::string& data) +{ + if (devId.empty() || devId.size() > DID_MAX_SIZE || dhId.empty() || dhId.size() > DID_MAX_SIZE) { + DHLOGE("DCameraSourceCallbackProxy CheckParams devId or dhId is invalid"); + return false; + } + + if (reqId.empty() || reqId.size() > DID_MAX_SIZE || data.size() > PARAM_MAX_SIZE) { + DHLOGE("DCameraSourceCallbackProxy CheckParams reqId or data is invalid"); + return false; + } + return true; +} } // namespace DistributedHardware } // namespace OHOS diff --git a/services/cameraservice/sourceservice/src/distributedcamera/dcamera_source_hidumper.cpp b/services/cameraservice/sourceservice/src/distributedcamera/dcamera_source_hidumper.cpp index 3db25a3a..7b4ab149 100644 --- a/services/cameraservice/sourceservice/src/distributedcamera/dcamera_source_hidumper.cpp +++ b/services/cameraservice/sourceservice/src/distributedcamera/dcamera_source_hidumper.cpp @@ -60,9 +60,6 @@ bool DcameraSourceHidumper::Dump(const std::vector& args, std::stri DHLOGI("DcameraSourceHidumper Dump args.size():%d.", args.size()); result.clear(); int32_t argsSize = static_cast(args.size()); - for (int32_t i = 0; i < argsSize; i++) { - DHLOGI("DcameraSourceHidumper Dump args[%d]: %s.", i, args.at(i).c_str()); - } if (args.empty()) { ShowHelp(result); @@ -72,6 +69,10 @@ bool DcameraSourceHidumper::Dump(const std::vector& args, std::stri return true; } + for (int32_t i = 0; i < argsSize; i++) { + DHLOGI("DcameraSourceHidumper Dump args[%d]: %s.", i, args.at(i).c_str()); + } + if (ProcessDump(args[0], result) != DCAMERA_OK) { return false; } diff --git a/services/cameraservice/sourceservice/src/distributedcamera/distributed_camera_source_service.cpp b/services/cameraservice/sourceservice/src/distributedcamera/distributed_camera_source_service.cpp index 39bebfe4..32e2b987 100644 --- a/services/cameraservice/sourceservice/src/distributedcamera/distributed_camera_source_service.cpp +++ b/services/cameraservice/sourceservice/src/distributedcamera/distributed_camera_source_service.cpp @@ -117,6 +117,10 @@ int32_t DistributedCameraSourceService::RegisterDistributedHardware(const std::s { DHLOGI("DistributedCameraSourceService RegisterDistributedHardware devId: %s, dhId: %s, version: %s", GetAnonyString(devId).c_str(), GetAnonyString(dhId).c_str(), param.version.c_str()); + if (camerasMap_.size() > MAX_CAMERAS_NUMBER) { + DHLOGE("DistributedCameraSourceService RegisterDistributedHardware cameras exceed the upper limit"); + return DCAMERA_BAD_VALUE; + } DCameraIndex camIndex(devId, dhId); std::shared_ptr camDev = nullptr; int32_t ret = DCAMERA_OK; @@ -222,6 +226,10 @@ int32_t DistributedCameraSourceService::UnLoadCameraHDF() int DistributedCameraSourceService::Dump(int32_t fd, const std::vector& args) { DHLOGI("DistributedCameraSourceService Dump."); + if (args.size() > DUMP_MAX_SIZE) { + DHLOGE("DistributedCameraSourceService Dump input is invalid"); + return DCAMERA_BAD_VALUE; + } std::string result; std::vector argsStr; for (auto item : args) { diff --git a/services/cameraservice/sourceservice/src/distributedcamera/distributed_camera_source_stub.cpp b/services/cameraservice/sourceservice/src/distributedcamera/distributed_camera_source_stub.cpp index e9461b54..81dcd86a 100644 --- a/services/cameraservice/sourceservice/src/distributedcamera/distributed_camera_source_stub.cpp +++ b/services/cameraservice/sourceservice/src/distributedcamera/distributed_camera_source_stub.cpp @@ -58,6 +58,11 @@ int32_t DistributedCameraSourceStub::InitSourceInner(MessageParcel &data, Messag int32_t ret = DCAMERA_OK; do { std::string params = data.ReadString(); + if (params.empty() || params.size() > PARAM_MAX_SIZE) { + DHLOGE("DistributedCameraSourceStub InitSourceInner input params is invalid"); + ret = DCAMERA_BAD_VALUE; + break; + } sptr remoteObj = data.ReadRemoteObject(); if (remoteObj == nullptr) { DHLOGE("DistributedCameraSourceStub initSource read object failed"); @@ -98,6 +103,11 @@ int32_t DistributedCameraSourceStub::RegisterDistributedHardwareInner(MessagePar EnableParam params; params.version = data.ReadString(); params.attrs = data.ReadString(); + if (!CheckRegParams(devId, dhId, reqId, params)) { + DHLOGE("DistributedCameraSourceStub RegisterDistributedHardwareInner input is invalid"); + ret = DCAMERA_BAD_VALUE; + break; + } ret = RegisterDistributedHardware(devId, dhId, reqId, params); DHLOGI("DistributedCameraSourceStub RegisterDistributedHardware %d", ret); } while (0); @@ -105,6 +115,27 @@ int32_t DistributedCameraSourceStub::RegisterDistributedHardwareInner(MessagePar return DCAMERA_OK; } +bool DistributedCameraSourceStub::CheckRegParams(const std::string& devId, const std::string& dhId, + const std::string& reqId, const EnableParam& param) +{ + if (devId.empty() || devId.size() > DID_MAX_SIZE || dhId.empty() || dhId.size() > DID_MAX_SIZE) { + DHLOGE("DistributedCameraSourceStub CheckRegParams devId or dhId is invalid"); + return false; + } + + if (reqId.empty() || reqId.size() > DID_MAX_SIZE) { + DHLOGE("DistributedCameraSourceStub CheckRegParams reqId is invalid"); + return false; + } + + if (param.version.empty() || param.version.size() > PARAM_MAX_SIZE || + param.attrs.empty() || param.attrs.size() > PARAM_MAX_SIZE) { + DHLOGE("DistributedCameraSourceStub CheckRegParams param is invalid"); + return false; + } + return true; +} + int32_t DistributedCameraSourceStub::UnregisterDistributedHardwareInner(MessageParcel &data, MessageParcel &reply) { DHLOGD("DistributedCameraSourceStub UnregisterDistributedHardwareInner"); @@ -113,12 +144,32 @@ int32_t DistributedCameraSourceStub::UnregisterDistributedHardwareInner(MessageP std::string devId = data.ReadString(); std::string dhId = data.ReadString(); std::string reqId = data.ReadString(); + if (!CheckUnregParams(devId, dhId, reqId)) { + DHLOGE("DistributedCameraSourceService UnregisterDistributedHardware input is invalid"); + ret = DCAMERA_BAD_VALUE; + break; + } ret = UnregisterDistributedHardware(devId, dhId, reqId); } while (0); reply.WriteInt32(ret); return DCAMERA_OK; } +bool DistributedCameraSourceStub::CheckUnregParams(const std::string& devId, const std::string& dhId, + const std::string& reqId) +{ + if (devId.empty() || devId.size() > DID_MAX_SIZE || dhId.empty() || dhId.size() > DID_MAX_SIZE) { + DHLOGE("DistributedCameraSourceStub CheckUnregParams devId or dhId is invalid"); + return false; + } + + if (reqId.empty() || reqId.size() > DID_MAX_SIZE) { + DHLOGE("DistributedCameraSourceStub CheckUnregParams reqId is invalid"); + return false; + } + return true; +} + int32_t DistributedCameraSourceStub::DCameraNotifyInner(MessageParcel &data, MessageParcel &reply) { int32_t ret = DCAMERA_OK; @@ -126,10 +177,30 @@ int32_t DistributedCameraSourceStub::DCameraNotifyInner(MessageParcel &data, Mes std::string devId = data.ReadString(); std::string dhId = data.ReadString(); std::string events = data.ReadString(); + if (!CheckNotifyParams(devId, dhId, events)) { + DHLOGE("DistributedCameraSourceStub DCameraNotifyInner input is invalid"); + ret = DCAMERA_BAD_VALUE; + break; + } ret = DCameraNotify(devId, dhId, events); } while (0); reply.WriteInt32(ret); return DCAMERA_OK; } + +bool DistributedCameraSourceStub::CheckNotifyParams(const std::string& devId, const std::string& dhId, + std::string& events) +{ + if (devId.empty() || devId.size() > DID_MAX_SIZE || dhId.empty() || dhId.size() > DID_MAX_SIZE) { + DHLOGE("DistributedCameraSourceStub CheckNotifyParams devId or dhId is invalid"); + return false; + } + + if (events.empty() || events.size() > PARAM_MAX_SIZE) { + DHLOGE("DistributedCameraSourceStub CheckNotifyParams events is invalid"); + return false; + } + return true; +} } // namespace DistributedHardware } // namespace OHOS diff --git a/services/cameraservice/sourceservice/src/distributedcameramgr/dcamerahdf/dcamera_provider_callback_impl.cpp b/services/cameraservice/sourceservice/src/distributedcameramgr/dcamerahdf/dcamera_provider_callback_impl.cpp index 47cafff0..d2921218 100644 --- a/services/cameraservice/sourceservice/src/distributedcameramgr/dcamerahdf/dcamera_provider_callback_impl.cpp +++ b/services/cameraservice/sourceservice/src/distributedcameramgr/dcamerahdf/dcamera_provider_callback_impl.cpp @@ -41,6 +41,10 @@ int32_t DCameraProviderCallbackImpl::OpenSession(const DHBase& dhBase) { DHLOGI("DCameraProviderCallbackImpl OpenSession devId: %s dhId: %s", GetAnonyString(devId_).c_str(), GetAnonyString(dhId_).c_str()); + if (!CheckDHBase(dhBase)) { + DHLOGE("DCameraProviderCallbackImpl OpenSession input is invalid"); + return FAILED; + } std::shared_ptr sourceDev = sourceDev_.lock(); if (sourceDev == nullptr) { DHLOGE("DCameraProviderCallbackImpl OpenSession failed, can not get device, devId: %s, dhId: %s", @@ -61,6 +65,10 @@ int32_t DCameraProviderCallbackImpl::CloseSession(const DHBase& dhBase) { DHLOGI("DCameraProviderCallbackImpl CloseSession devId: %s dhId: %s", GetAnonyString(devId_).c_str(), GetAnonyString(dhId_).c_str()); + if (!CheckDHBase(dhBase)) { + DHLOGE("DCameraProviderCallbackImpl CloseSession input is invalid"); + return FAILED; + } std::shared_ptr sourceDev = sourceDev_.lock(); if (sourceDev == nullptr) { DHLOGE("DCameraProviderCallbackImpl CloseSession failed, can not get device, devId: %s, dhId: %s", @@ -77,11 +85,25 @@ int32_t DCameraProviderCallbackImpl::CloseSession(const DHBase& dhBase) return SUCCESS; } +bool DCameraProviderCallbackImpl::CheckDHBase(const DHBase& dhBase) +{ + if (dhBase.deviceId_.empty() || dhBase.deviceId_.size() > DID_MAX_SIZE || + dhBase.dhId_.empty() || dhBase.dhId_.size() > DID_MAX_SIZE ) { + DHLOGE("DCameraProviderCallbackImpl CheckDHBase dhBase is invalid"); + return false; + } + return true; +} + int32_t DCameraProviderCallbackImpl::ConfigureStreams(const DHBase& dhBase, const std::vector& streamInfos) { DHLOGI("DCameraProviderCallbackImpl ConfigStreams devId: %s dhId: %s", GetAnonyString(devId_).c_str(), GetAnonyString(dhId_).c_str()); + if (!CheckDHBase(dhBase) || streamInfos.empty() || streamInfos.size() > PARAM_MAX_SIZE) { + DHLOGE("DCameraProviderCallbackImpl ConfigStreams input is invalid"); + return FAILED; + } std::shared_ptr sourceDev = sourceDev_.lock(); if (sourceDev == nullptr) { DHLOGE("DCameraProviderCallbackImpl ConfigStreams failed, can not get device, devId: %s, dhId: %s", @@ -90,6 +112,10 @@ int32_t DCameraProviderCallbackImpl::ConfigureStreams(const DHBase& dhBase, } std::vector> streams; for (auto iter = streamInfos.begin(); iter != streamInfos.end(); iter++) { + if (!CheckStreamInfo(*iter)) { + DHLOGE("DCameraProviderCallbackImpl ConfigStreams streamInfo is invalid"); + return FAILED; + } std::shared_ptr stream = std::make_shared(); stream->streamId_ = iter->streamId_; stream->width_ = iter->width_; @@ -110,10 +136,29 @@ int32_t DCameraProviderCallbackImpl::ConfigureStreams(const DHBase& dhBase, return SUCCESS; } +bool DCameraProviderCallbackImpl::CheckStreamInfo(const DCStreamInfo& stream) +{ + if (stream.streamId_ < 0 || stream.width_ < 0 || stream.height_ < 0 || + (stream.width_ * stream.height_ > RESOLUTION_MAX_WIDTH * RESOLUTION_MAX_HEIGHT)) { + DHLOGE("DCameraProviderCallbackImpl CheckStreamInfo stream is invalid"); + return false; + } + + if (stream.stride_ < 0 || stream.format_ < 0 || stream.dataspace_ < 0) { + DHLOGE("DCameraProviderCallbackImpl CheckStreamInfo stream is invalid"); + return false; + } + return true; +} + int32_t DCameraProviderCallbackImpl::ReleaseStreams(const DHBase& dhBase, const std::vector& streamIds) { DHLOGI("DCameraProviderCallbackImpl ReleaseStreams devId: %s dhId: %s", GetAnonyString(devId_).c_str(), GetAnonyString(dhId_).c_str()); + if (!CheckDHBase(dhBase) || streamIds.size() > PARAM_MAX_SIZE) { + DHLOGE("DCameraProviderCallbackImpl ReleaseStreams input is invalid"); + return FAILED; + } std::shared_ptr sourceDev = sourceDev_.lock(); if (sourceDev == nullptr) { DHLOGE("DCameraProviderCallbackImpl ReleaseStreams failed, can not get device, devId: %s, dhId: %s", @@ -133,6 +178,10 @@ int32_t DCameraProviderCallbackImpl::StartCapture(const DHBase& dhBase, const st { DHLOGI("DCameraProviderCallbackImpl StartCapture devId: %s dhId: %s", GetAnonyString(devId_).c_str(), GetAnonyString(dhId_).c_str()); + if (!CheckDHBase(dhBase) || captureInfos.empty() || captureInfos.size() > PARAM_MAX_SIZE) { + DHLOGE("DCameraProviderCallbackImpl StartCapture input is invalid"); + return FAILED; + } std::shared_ptr sourceDev = sourceDev_.lock(); if (sourceDev == nullptr) { DHLOGE("DCameraProviderCallbackImpl StartCapture failed, can not get device, devId: %s, dhId: %s", @@ -142,6 +191,16 @@ int32_t DCameraProviderCallbackImpl::StartCapture(const DHBase& dhBase, const st std::vector> captures; for (auto iter = captureInfos.begin(); iter != captureInfos.end(); iter++) { + if (!CheckCaptureInfo(*iter)) { + DHLOGE("DCameraProviderCallbackImpl StartCapture captureInfo is invalid"); + return FAILED; + } + for (auto item : iter->captureSettings_) { + if (item.value_.size() > PARAM_MAX_SIZE) { + DHLOGE("DCameraProviderCallbackImpl StartCapture captureSettings value is too long"); + return FAILED; + } + } std::shared_ptr capture = std::make_shared(); capture->streamIds_.assign(iter->streamIds_.begin(), iter->streamIds_.end()); capture->width_ = iter->width_; @@ -164,10 +223,30 @@ int32_t DCameraProviderCallbackImpl::StartCapture(const DHBase& dhBase, const st return SUCCESS; } +bool DCameraProviderCallbackImpl::CheckCaptureInfo(const DCCaptureInfo& captureInfo) +{ + if (sizeof(captureInfo.streamIds_) > PARAM_MAX_SIZE || captureInfo.width_ < 0 || captureInfo.height_ < 0 || + (captureInfo.width_ * captureInfo.height_ > RESOLUTION_MAX_WIDTH * RESOLUTION_MAX_HEIGHT)) { + DHLOGE("DCameraProviderCallbackImpl CheckCaptureInfo captureInfo is invalid"); + return false; + } + + if (captureInfo.stride_ < 0 || captureInfo.format_ < 0 || captureInfo.dataspace_ < 0 || + sizeof(captureInfo.captureSettings_) > PARAM_MAX_SIZE) { + DHLOGE("DCameraProviderCallbackImpl CheckCaptureInfo captureInfo is invalid"); + return false; + } + return true; +} + int32_t DCameraProviderCallbackImpl::StopCapture(const DHBase& dhBase, const std::vector& streamIds) { DHLOGI("DCameraProviderCallbackImpl StopCapture devId: %s dhId: %s", GetAnonyString(devId_).c_str(), GetAnonyString(dhId_).c_str()); + if (!CheckDHBase(dhBase) || streamIds.size() > PARAM_MAX_SIZE) { + DHLOGE("DCameraProviderCallbackImpl StopCapture input is invalid"); + return FAILED; + } std::shared_ptr sourceDev = sourceDev_.lock(); if (sourceDev == nullptr) { DHLOGE("DCameraProviderCallbackImpl StopCapture failed, can not get device, devId: %s, dhId: %s", @@ -187,6 +266,10 @@ int32_t DCameraProviderCallbackImpl::UpdateSettings(const DHBase& dhBase, const { DHLOGI("DCameraProviderCallbackImpl UpdateSettings devId: %s dhId: %s", GetAnonyString(devId_).c_str(), GetAnonyString(dhId_).c_str()); + if (!CheckDHBase(dhBase) || settings.size() > PARAM_MAX_SIZE) { + DHLOGE("DCameraProviderCallbackImpl UpdateSettings input is invalid"); + return FAILED; + } std::shared_ptr sourceDev = sourceDev_.lock(); if (sourceDev == nullptr) { DHLOGE("DCameraProviderCallbackImpl UpdateSettings failed, can not get device, devId: %s, dhId: %s", @@ -196,6 +279,10 @@ int32_t DCameraProviderCallbackImpl::UpdateSettings(const DHBase& dhBase, const std::vector> settingInfos; for (auto iter = settings.begin(); iter != settings.end(); iter++) { + if (iter->value_.size() > PARAM_MAX_SIZE) { + DHLOGE("DCameraProviderCallbackImpl UpdateSettings value is too long"); + return FAILED; + } std::shared_ptr settingInfo = std::make_shared(); settingInfo->type_ = iter->type_; settingInfo->value_ = iter->value_; diff --git a/services/channel/src/dcamera_softbus_session.cpp b/services/channel/src/dcamera_softbus_session.cpp index cf51e1e2..328847a0 100644 --- a/services/channel/src/dcamera_softbus_session.cpp +++ b/services/channel/src/dcamera_softbus_session.cpp @@ -213,6 +213,7 @@ void DCameraSoftbusSession::AssembleFrag(std::shared_ptr& buffer, Se if (headerPara.fragFlag == FRAG_MID || headerPara.fragFlag == FRAG_END) { int32_t ret = CheckUnPackBuffer(headerPara); if (ret != DCAMERA_OK) { + ResetAssembleFrag(); return; } -- Gitee