Ensure correct read of jpeg header blob

When using HIDL HAL, camera service rewrites jpeg header to match
camera3_jpeg_blob_v2 struct. The original buffer might be generated to
use the HIDL header which might have a smaller size and different memory
alignment requirements than camera3_jpeg_blob_v2. CameraServer puts the
header as the very last bytes of the incoming buffer. Since the size and
location of buffer is variable, it is possible that directly reading the
header values from the bufffer fails because of memory alignment
requirements.

This CL uses memcpy to extract the header into the stack to ensure we
don't run into memory alignment errors when reading the header from the
jpeg buffer.

Bug: 233986162
Test: Camera CTS Passes, and verified by partner
Change-Id: I8d7ef872b4c7319349ebd1c5e83707ef4724c744

1 files changed, 9 insertions, 4 deletions

diff --git a/media/jni/android_media_Utils.cpp b/media/jni/android_media_Utils.cpp
index b7ad6dcf9354..fbebbdcb8761 100644
--- a/media/jni/android_media_Utils.cpp
+++ b/media/jni/android_media_Utils.cpp
@@ -123,10 +123,15 @@ uint32_t Image_getBlobSize(LockedImage* buffer, bool usingRGBAOverride) {
 
     // First check for BLOB transport header at the end of the buffer
     uint8_t* header = blobBuffer + (width - sizeof(struct camera3_jpeg_blob_v2));
-    struct camera3_jpeg_blob_v2 *blob = (struct camera3_jpeg_blob_v2*)(header);
-    if (blob->jpeg_blob_id == CAMERA3_JPEG_BLOB_ID ||
-            blob->jpeg_blob_id == CAMERA3_HEIC_BLOB_ID) {
-        size = blob->jpeg_size;
+
+    // read camera3_jpeg_blob_v2 from the end of the passed buffer.
+    // requires memcpy because 'header' might not be properly aligned.
+    struct camera3_jpeg_blob_v2 blob;
+    memcpy(&blob, header, sizeof(struct camera3_jpeg_blob_v2));
+
+    if (blob.jpeg_blob_id == CAMERA3_JPEG_BLOB_ID ||
+            blob.jpeg_blob_id == CAMERA3_HEIC_BLOB_ID) {
+        size = blob.jpeg_size;
         ALOGV("%s: Jpeg/Heic size = %d", __FUNCTION__, size);
     }