Camera: Fix memory leak if malformed face data is received (3ac6bae6) · Commits · e / os / android_frameworks_av

camera/ICameraClient.cpp

+8 −10

Original line number	Diff line number	Diff line
		@@ -139,20 +139,18 @@ status_t BnCameraClient::onTransact(
		CHECK_INTERFACE(ICameraClient, data, reply);
		int32_t msgType = data.readInt32();
		sp<IMemory> imageData = interface_cast<IMemory>(data.readStrongBinder());
		camera_frame_metadata_t *metadata = NULL;
		camera_frame_metadata_t metadata;
		if (data.dataAvail() > 0) {
		metadata = new camera_frame_metadata_t;
		metadata->number_of_faces = data.readInt32();
		if (metadata->number_of_faces <= 0 \|\|
		metadata->number_of_faces > (int32_t)(INT32_MAX / sizeof(camera_face_t))) {
		ALOGE("%s: Too large face count: %d", __FUNCTION__, metadata->number_of_faces);
		metadata.number_of_faces = data.readInt32();
		if (metadata.number_of_faces <= 0 \|\|
		metadata.number_of_faces > (int32_t)(INT32_MAX / sizeof(camera_face_t))) {
		ALOGE("%s: Too large face count: %d", __FUNCTION__, metadata.number_of_faces);
		return BAD_VALUE;
		}
		metadata->faces = (camera_face_t *) data.readInplace(
		sizeof(camera_face_t) * metadata->number_of_faces);
		metadata.faces = (camera_face_t *) data.readInplace(
		sizeof(camera_face_t) * metadata.number_of_faces);
		}
		dataCallback(msgType, imageData, metadata);
		if (metadata) delete metadata;
		dataCallback(msgType, imageData, &metadata);
		return NO_ERROR;
		} break;
		case DATA_CALLBACK_TIMESTAMP: {