Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e2b60c81 authored by Eino-Ville Talvala's avatar Eino-Ville Talvala
Browse files

CameraMetadata: Add sanity check to avoid accidental memory corruption. 

Update shouldn't be called with a pointer from the metadata structure
being updated, since it might be resized.  The API really needs rework,
but until that happens, detect this condition and error out.

Bug: 22542551
Change-Id: I896c34d8134ac3b101d050fc8aa5d203a08e7267
parent b9f72ab0

camera/CameraMetadata.cpp

+11 −0
Original line number Diff line number Diff line
@@ -289,6 +289,17 @@ status_t CameraMetadata::updateImpl(uint32_t tag, const void *data, 
        ALOGE("%s: Tag %d not found", __FUNCTION__, tag);

        return BAD_VALUE;

    }

    // Safety check - ensure that data isn't pointing to this metadata, since

    // that would get invalidated if a resize is needed

    size_t bufferSize = get_camera_metadata_size(mBuffer);

    uintptr_t bufAddr = reinterpret_cast<uintptr_t>(mBuffer);

    uintptr_t dataAddr = reinterpret_cast<uintptr_t>(data);

    if (dataAddr > bufAddr && dataAddr < (bufAddr + bufferSize)) {

        ALOGE("%s: Update attempted with data from the same metadata buffer!",

                __FUNCTION__);

        return INVALID_OPERATION;

    }



    size_t data_size = calculate_camera_metadata_entry_data_size(type,

            data_count);