Closed
Description
In camera.cpp you have:
FrameBuffer::FrameBuffer(int32_t x, int32_t y, int32_t bpp) :
_fb_size(x*y*bpp),
_isAllocated(true)
{
uint8_t *buffer = (uint8_t *)malloc(x*y*bpp);
_fb = (uint8_t *)ALIGN_PTR((uintptr_t)buffer, 32);
}
So if I pass in Framebuffer(320, 240, 2);
And malloc does not allocate on a 32 byte boundary, you will then increment up to the next 32 byte boundary and continue to try to write into an area that was not allocated to you...
If you use the default constructor without parameters, it tries to handle this properly:
int Camera::grabFrame(FrameBuffer &fb, uint32_t timeout)
{
if (this->sensor == NULL
|| this->pixformat == -1
|| this->resolution == -1) {
return -1;
}
uint32_t framesize = frameSize();
if (fb.isAllocated()) {
//A buffer has already been allocated
//Check buffer size
if (fb.hasFixedSize()) {
uint32_t fbSize = fb.getBufferSize();
if (_debug) {
_debug->print("fbSize: ");
_debug->println(fbSize);
}
if (fbSize < framesize) {
if (_debug) {
_debug->println("The allocated buffer is too small!");
}
return -1;
}
}
} else {
uint8_t *buffer = (uint8_t *)malloc(framesize+32);
uint8_t *alignedBuff = (uint8_t *)ALIGN_PTR((uintptr_t)buffer, 32);
fb.setBuffer(alignedBuff);
}
...