CameraBase: Don't return an sp<> by reference

If the server dies, the binder death callback clears out the global camera service sp<>, and any current references to it will become quite unhappy. Test: Camera CTS passes Bug: 31992879 AOSP-Change-Id: I2966bed35d0319e3f26e3d4b1b8dc08006a22348 CVE-2017-0544 Change-Id: Ib7ef455366927b0471f8fcabdd5a54e38e375d41 (cherry picked from commit 4b49489)
TheFlyhalf205 · Apr 6, 2017 · c59a656 · c59a656
1 parent e959817
commit c59a656
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/camera/CameraBase.cpp b/camera/CameraBase.cpp
@@ -65,7 +65,7 @@ namespace {
 
 // establish binder interface to camera service
 template <typename TCam, typename TCamTraits>
-const sp<ICameraService>& CameraBase<TCam, TCamTraits>::getCameraService()
+const sp<ICameraService> CameraBase<TCam, TCamTraits>::getCameraService()
 {
     Mutex::Autolock _l(gLock);
     if (gCameraService.get() == 0) {
@@ -98,7 +98,7 @@ sp<TCam> CameraBase<TCam, TCamTraits>::connect(int cameraId,
     sp<TCam> c = new TCam(cameraId);
     sp<TCamCallbacks> cl = c;
     status_t status = NO_ERROR;
-    const sp<ICameraService>& cs = getCameraService();
+    const sp<ICameraService> cs = getCameraService();
 
     if (cs != 0) {
         TCamConnectService fnConnectService = TCamTraits::fnConnectService;
@@ -195,23 +195,23 @@ int CameraBase<TCam, TCamTraits>::getNumberOfCameras() {
 template <typename TCam, typename TCamTraits>
 status_t CameraBase<TCam, TCamTraits>::getCameraInfo(int cameraId,
                                struct CameraInfo* cameraInfo) {
-    const sp<ICameraService>& cs = getCameraService();
+    const sp<ICameraService> cs = getCameraService();
     if (cs == 0) return UNKNOWN_ERROR;
     return cs->getCameraInfo(cameraId, cameraInfo);
 }
 
 template <typename TCam, typename TCamTraits>
 status_t CameraBase<TCam, TCamTraits>::addServiceListener(
                             const sp<ICameraServiceListener>& listener) {
-    const sp<ICameraService>& cs = getCameraService();
+    const sp<ICameraService> cs = getCameraService();
     if (cs == 0) return UNKNOWN_ERROR;
     return cs->addListener(listener);
 }
 
 template <typename TCam, typename TCamTraits>
 status_t CameraBase<TCam, TCamTraits>::removeServiceListener(
                             const sp<ICameraServiceListener>& listener) {
-    const sp<ICameraService>& cs = getCameraService();
+    const sp<ICameraService> cs = getCameraService();
     if (cs == 0) return UNKNOWN_ERROR;
     return cs->removeListener(listener);
 }

diff --git a/include/camera/CameraBase.h b/include/camera/CameraBase.h
@@ -101,7 +101,7 @@ class CameraBase : public IBinder::DeathRecipient
     virtual void                     binderDied(const wp<IBinder>& who);
 
     // helper function to obtain camera service handle
-    static const sp<ICameraService>& getCameraService();
+    static const sp<ICameraService> getCameraService();
 
     sp<TCamUser>                     mCamera;
     status_t                         mStatus;