Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b393a2d9 authored by Eino-Ville Talvala's avatar Eino-Ville Talvala
Browse files

Camera: Validate face count in received metadata 

Ensure the count can't cause an overflow in bytes to be read.

Test: atest CtsCameraTestCases; also add bad face count data from camera
  service and manually verify the error logs appear when running
  android.hardware.cts.CameraTest#testFaceDetection.
Bug: 150156131
Change-Id: Ic78ec0ccf67ef8665f80f69aabbb1ae71dd609cd
parent 3742d5e5

camera/ICameraClient.cpp

+5 −0
Original line number Diff line number Diff line
@@ -143,6 +143,11 @@ status_t BnCameraClient::onTransact( 
            if (data.dataAvail() > 0) {

                metadata = new camera_frame_metadata_t;

                metadata->number_of_faces = data.readInt32();

                if (metadata->number_of_faces <= 0 ||

                        metadata->number_of_faces > (int32_t)(INT32_MAX / sizeof(camera_face_t))) {

                    ALOGE("%s: Too large face count: %d", __FUNCTION__, metadata->number_of_faces);

                    return BAD_VALUE;

                }

                metadata->faces = (camera_face_t *) data.readInplace(

                        sizeof(camera_face_t) * metadata->number_of_faces);

            }