Commit [1] ("Introduce a dependency monitor for fences") has added new
members to the GraphicBuffer struct, increasing the size from 0x100 to
0xd30. camera.xiaomi.so creates GraphicBuffer in its constructors using
"new GraphicBuffer(..)" which encodes the size to allocate at compile
time. Then, on destruction of the object, the implicit destructor will
try to destruct the new members, but, since this memory was not
allocated for the object, this leads to memory access of unallocated
storage.
F DEBUG : backtrace:
F DEBUG : #00 pc 000000000003ba00 /vendor/lib64/libui.so (__aarch64_ldadd8_acq_rel+16) (BuildId: b577faa139eb3404c7d3a674b147634c)
F DEBUG : #01 pc 0000000000051364 /vendor/lib64/libui.so (android::GraphicBuffer::~GraphicBuffer()+248) (BuildId: b577faa139eb3404c7d3a674b147634c)
F DEBUG : #02 pc 0000000000051698 /vendor/lib64/libui.so (android::GraphicBuffer::~GraphicBuffer()+20) (BuildId: b577faa139eb3404c7d3a674b147634c)
F DEBUG : #03 pc 0000000000011064 /vendor/lib64/libutils.so (android::RefBase::decStrong(void const*) const+164) (BuildId: 99d1ab745e7b73420d8d2b397483ef54)
F DEBUG : #04 pc 00000000000cd538 /vendor/lib64/hw/camera.xiaomi.so (mihal::GraBuffer::~GraBuffer()+236) (BuildId: a4c59705588bd26d407f0ab181902baf)
[1]: https://github.com/LineageOS/android_frameworks_native/commit/df868baf2abefbb45341530d20a948ffd6b2c304
Change-Id: I239c31b6ea5a7813abc3e9cfbefb6d2bdcc1a9e0
Signed-off-by: therealmharc <therealmharc@gmail.com>
Signed-off-by: Ido <dev.xyzuniverse@gmail.com>
Arian