From 9b6309108ce02f5cdd650a5747b1ff3b7c6fe759 Mon Sep 17 00:00:00 2001 From: linchengfeng Date: Fri, 18 Apr 2025 09:53:20 +0800 Subject: [PATCH] fix DTFuzz Signed-off-by: linchengfeng --- .../metadata/include/camera_metadata_info.h | 1 + camera/metadata/src/camera_metadata_info.cpp | 24 +++++++++++++++++++ camera/metadata/src/metadata_utils.cpp | 3 ++- 3 files changed, 27 insertions(+), 1 deletion(-) diff --git a/camera/metadata/include/camera_metadata_info.h b/camera/metadata/include/camera_metadata_info.h index be3c3275..2be92e51 100644 --- a/camera/metadata/include/camera_metadata_info.h +++ b/camera/metadata/include/camera_metadata_info.h @@ -58,6 +58,7 @@ private: camera_metadata_item_entry_t *itemToDelete, size_t dataBytes); static int copyMetadataMemory(common_metadata_header_t *dst, camera_metadata_item_entry_t *item, size_t dataPayloadSize, const void *data); + static bool CheckItemDataType(camera_metadata_item_entry_t &item); public: // Allocate a new camera metadata buffer and return the metadata header diff --git a/camera/metadata/src/camera_metadata_info.cpp b/camera/metadata/src/camera_metadata_info.cpp index b43d668c..74ff433e 100644 --- a/camera/metadata/src/camera_metadata_info.cpp +++ b/camera/metadata/src/camera_metadata_info.cpp @@ -377,6 +377,14 @@ std::map g_metadataSectionMap = { {OHOS_LIGHT_STATUS, OHOS_SECTION_LIGHT_STATUS}, }; +std::map g_itemDataTypeMap { + { OHOS_ABILITY_STREAM_AVAILABLE_BASIC_CONFIGURATIONS, META_TYPE_INT32 }, + { OHOS_ABILITY_STREAM_AVAILABLE_EXTEND_CONFIGURATIONS, META_TYPE_INT32 }, + { OHOS_SENSOR_INFO_MAX_FRAME_DURATION, META_TYPE_INT64 }, + { OHOS_JPEG_MAX_SIZE, META_TYPE_INT32 }, + { OHOS_ABILITY_CAMERA_CONNECTION_TYPE, META_TYPE_BYTE } +}; + CameraMetadata::CameraMetadata(size_t itemCapacity, size_t dataCapacity) { metadata_ = AllocateCameraMetadataBuffer(itemCapacity, AlignTo(dataCapacity, DATA_ALIGNMENT)); @@ -970,6 +978,10 @@ int CameraMetadata::FindCameraMetadataItemIndex(const common_metadata_header_t * return CAM_META_ITEM_NOT_FOUND; } + if (!CheckItemDataType(*searchItem)) { + return CAM_META_INVALID_PARAM; + } + *idx = index; METADATA_DEBUG_LOG("FindCameraMetadataItemIndex index: %{public}u", index); METADATA_DEBUG_LOG("FindCameraMetadataItemIndex end"); @@ -1639,4 +1651,16 @@ int32_t CameraMetadata::GetAllVendorTags(std::vector& tagVec) g_vendorTagImpl->GetAllVendorTags(tagVec); return CAM_META_SUCCESS; } + +bool CameraMetadata::CheckItemDataType(camera_metadata_item_entry_t &item) +{ + auto iter = g_itemDataTypeMap.find(item.item); + if (iter != g_itemDataTypeMap.end()) { + if (iter->second != item.data_type) { + METADATA_ERR_LOG("Invalid data type :%{public}u, item :%{public}u", item.data_type, item.item); + return false; + } + } + return true; +} } // Camera diff --git a/camera/metadata/src/metadata_utils.cpp b/camera/metadata/src/metadata_utils.cpp index 576fc97e..8cedd2b5 100644 --- a/camera/metadata/src/metadata_utils.cpp +++ b/camera/metadata/src/metadata_utils.cpp @@ -483,7 +483,8 @@ std::shared_ptr MetadataUtils::DecodeFromString(std::string sett IF_COND_PRINT_MSG_AND_RETURN(ret != EOK, "MetadataUtils::DecodeFromString Failed to copy memory for metadata header") - bool isItemsStartInvalid = meta->items_start >= actualMemSize || meta->items_start < headerLength; + bool isItemsStartInvalid = meta->items_start >= actualMemSize || meta->items_start < headerLength || + meta->item_count == 0; bool isDataStartInvalid = meta->data_start >= actualMemSize || meta->data_start < headerLength; bool isMetadataCountInvaild = (actualMemSize - meta->items_start) < (uint64_t)meta->item_count * itemLen || (actualMemSize - meta->data_start) < meta->data_count; -- Gitee