sweet: Patch com.vidhance.node.eis.so to allocate GraphicBuffer with new size

Commit [1] ("Introduce a dependency monitor for fences") has added new
members to the GraphicBuffer struct, increasing the size from 0x100 to
0xd30. camera.xiaomi.so creates GraphicBuffer in its constructors using
"new GraphicBuffer(..)" which encodes the size to allocate at compile
time. Then, on destruction of the object, the implicit destructor will
try to destruct the new members, but, since this memory was not
allocated for the object, this leads to memory access of unallocated
storage.

F DEBUG   : backtrace:
F DEBUG   :       #00 pc 000000000003ba00  /vendor/lib64/libui.so (__aarch64_ldadd8_acq_rel+16) (BuildId: b577faa139eb3404c7d3a674b147634c)
F DEBUG   :       #01 pc 0000000000051364  /vendor/lib64/libui.so (android::GraphicBuffer::~GraphicBuffer()+248) (BuildId: b577faa139eb3404c7d3a674b147634c)
F DEBUG   :       #02 pc 0000000000051698  /vendor/lib64/libui.so (android::GraphicBuffer::~GraphicBuffer()+20) (BuildId: b577faa139eb3404c7d3a674b147634c)
F DEBUG   :       #03 pc 0000000000011064  /vendor/lib64/libutils.so (android::RefBase::decStrong(void const*) const+164) (BuildId: 99d1ab745e7b73420d8d2b397483ef54)
F DEBUG   :       #04 pc 00000000000cd538  /vendor/lib64/hw/camera.xiaomi.so (mihal::GraBuffer::~GraBuffer()+236) (BuildId: a4c59705588bd26d407f0ab181902baf)

[1]: df868baf2a

Change-Id: I239c31b6ea5a7813abc3e9cfbefb6d2bdcc1a9e0
Signed-off-by: therealmharc <therealmharc@gmail.com>

extract-files.py

@@ -5,6 +5,8 @@
 #
 
 from extract_utils.fixups_blob import (
+    BlobFixupCtx,
+    File,
     blob_fixup,
     blob_fixups_user_type,
 )
@@ -16,6 +18,12 @@ from extract_utils.main import (
     ExtractUtils,
     ExtractUtilsModule,
 )
+from extract_utils.tools import (
+    llvm_objdump_path,
+)
+from extract_utils.utils import (
+    run_cmd,
+)
 
 namespace_imports = [
     'hardware/qcom-caf/sm8150',
@@ -24,6 +32,33 @@ namespace_imports = [
     'vendor/xiaomi/sm6150-common',
 ]
 
+
+def blob_fixup_graphic_buffer_size(
+    ctx: BlobFixupCtx,
+    file: File,
+    file_path: str,
+    *args,
+    **kwargs,
+):
+    for line in run_cmd(
+        [
+            llvm_objdump_path,
+            '--disassemble-all',
+            file_path,
+        ]
+    ).splitlines():
+        line = line.split(maxsplit=5)
+        if len(line) != 6:
+            continue
+
+        # The size of GraphicBuffer changed from 0x100 to 0xd30
+        offset, _, instruction, register, value, _ = line
+        if instruction == 'mov' and register[:-1] == 'w0' and value == '#0x100':
+            with open(file_path, 'rb+') as f:
+                f.seek(int(offset[:-1], 16))
+                f.write(b'\x00\xa6\x81\x52')  # AArch64 mov w0, #0xd30
+
+
 lib_fixups: lib_fixups_user_type = {
     **lib_fixups,
 }
@@ -41,6 +76,8 @@ blob_fixups: blob_fixups_user_type = {
         .binary_regex_replace(b'libmegface.so', b'libfacedet.so')
         .binary_regex_replace(b'libMegviiFacepp-0.5.2.so', b'libFaceDetectpp-0.5.2.so')
         .binary_regex_replace(b'megviifacepp_0_5_2_model', b'facedetectpp_0_5_2_model'),
+    'vendor/lib64/camera/components/com.vidhance.node.eis.so': blob_fixup()
+        .call(blob_fixup_graphic_buffer_size),
     ('vendor/lib64/libalLDC.so', 'vendor/lib64/libalhLDC.so'): blob_fixup()
         .clear_symbol_version('AHardwareBuffer_allocate')
         .clear_symbol_version('AHardwareBuffer_describe')