[camera_windows] Use temp directory fallback when Pictures folder is unavailable #10723
Conversation
|
It looks like this pull request may not have tests. Please make sure to add tests or get an explicit test exemption before merging. If you are not sure if you need tests, consider this rule of thumb: the purpose of a test is to make sure someone doesn't accidentally revert the fix. Ask yourself, is there anything in your PR that you feel it is important we not accidentally revert back to how it was before your fix? Reviewers: Read the Tree Hygiene page and make sure this patch meets those guidelines before LGTMing. If you believe this PR qualifies for a test exemption, contact "@test-exemption-reviewer" in the #hackers channel in Discord (don't just cc them here, they won't see it!). The test exemption team is a small volunteer group, so all reviewers should feel empowered to ask for tests, without delegating that responsibility entirely to the test exemption group. |
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds a fallback to the system temporary directory in GetFilePathForPicture when the user's Pictures folder is unavailable. It also ensures the directory path correctly ends with a trailing slash. My review found a potential buffer over-read vulnerability in the new fallback logic and also noted that the new logic is not covered by tests, which is required by the repository's style guide. I've provided specific comments with suggestions. For future consideration, it would be beneficial to apply this same robust fallback logic to the GetFilePathForVideo function to ensure consistent behavior.
| // Fallback to temp folder | ||
| wchar_t tempPath[MAX_PATH]; | ||
| DWORD len = GetTempPathW(MAX_PATH, tempPath); | ||
| if (len == 0 || len > MAX_PATH) { |
There was a problem hiding this comment.
The condition len > MAX_PATH is incorrect and could lead to a buffer over-read. For WinAPI functions like GetTempPathW, if the returned length is equal to the buffer size (MAX_PATH in this case), the written string is not guaranteed to be null-terminated. Constructing a std::wstring from a non-null-terminated C-style string results in undefined behavior as it will read past the end of the buffer. The check should be len >= MAX_PATH to correctly handle this edge case.
| if (len == 0 || len > MAX_PATH) { | |
| if (len == 0 || len >= MAX_PATH) { |
| if (SUCCEEDED(hr)) { | ||
| wpath = std::wstring(known_folder_path); | ||
| } else { | ||
| // Fallback to temp folder | ||
| wchar_t tempPath[MAX_PATH]; | ||
| DWORD len = GetTempPathW(MAX_PATH, tempPath); | ||
| if (len == 0 || len > MAX_PATH) { | ||
| return std::nullopt; | ||
| } | ||
| wpath = std::wstring(tempPath); | ||
| } |
There was a problem hiding this comment.
This change introduces new logic, including a fallback path, but doesn't include corresponding tests. The repository style guide states that 'Code should be tested'. To ensure the correctness and robustness of this new functionality, please add unit tests that cover both the successful retrieval of the Pictures folder and the fallback to the temporary directory. This might require some refactoring to allow for mocking of the Windows API calls.
References
- Code should be tested. Changes to plugin packages, which include code written in C, C++, Java, Kotlin, Objective-C, or Swift, should have appropriate tests. (link)
|
Thanks for the contribution! In the future, please do not delete the checklist that is in the PR template; it is there for a reason. This PR is missing required elements described in the checklist (I’ve restored it to the PR description), which need to be addressed before it moves forward with review. I am marking the PR as a Draft. Please review the checklist, updating the PR as appropriate, and when that’s complete please feel free to mark the PR as ready for review. |
Which existing test fails without the changes in this PR? |
2 participants
Added a fallback when SHGetKnownFolderPath fails
Previously, if retrieving the Pictures folder failed, the function returned std::nullopt immediately.
Now, it gracefully falls back to the system temporary directory using GetTempPathW.
This prevents crashes or unexpected failures on systems where the Pictures folder is unavailable or restricted.
This change improves the reliability of picture file path generation on Windows.
If retrieving the Pictures folder fails, the code now falls back to the system temp directory instead of returning nullopt.
It also ensures the directory path ends with a trailing slash and uses safer wide‑string handling before converting to UTF‑8.
Fixes flutter/flutter#180559
Pre-Review Checklist
[shared_preferences]pubspec.yamlwith an appropriate new version according to the pub versioning philosophy, or I have commented below to indicate which version change exemption this PR falls under1.CHANGELOG.mdto add a description of the change, following repository CHANGELOG style, or I have commented below to indicate which CHANGELOG exemption this PR falls under1.///).If you need help, consider asking for advice on the #hackers-new channel on Discord.
Note: The Flutter team is currently trialing the use of Gemini Code Assist for GitHub. Comments from the
gemini-code-assistbot should not be taken as authoritative feedback from the Flutter team. If you find its comments useful you can update your code accordingly, but if you are unsure or disagree with the feedback, please feel free to wait for a Flutter team member's review for guidance on which automated comments should be addressed.Test is already covered on native windows side
Footnotes
Regular contributors who have demonstrated familiarity with the repository guidelines only need to comment if the PR is not auto-exempted by repo tooling. ↩ ↩2 ↩3