diff options
author | Baligh Uddin <baligh@google.com> | 2016-09-01 03:48:40 +0000 |
---|---|---|
committer | Android (Google) Code Review <android-gerrit@google.com> | 2016-09-01 03:48:40 +0000 |
commit | 35f705a292ddc318bb791b12497195cf1424ca75 (patch) | |
tree | f8177c2655205ed9aa9bb6041652725ed91b460d | |
parent | d2c8e5a3dc911a06b6b5c9b7bd93cd65067a820a (diff) | |
parent | 25773016a8175b8ebd5b875442e3f155830897f3 (diff) | |
download | android_system_media-35f705a292ddc318bb791b12497195cf1424ca75.tar.gz android_system_media-35f705a292ddc318bb791b12497195cf1424ca75.tar.bz2 android_system_media-35f705a292ddc318bb791b12497195cf1424ca75.zip |
Merge "Camera metadata: Check for inconsistent data count" into nyc-bugfix-release
-rw-r--r-- | camera/src/camera_metadata.c | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/camera/src/camera_metadata.c b/camera/src/camera_metadata.c index 92926872..a6b69042 100644 --- a/camera/src/camera_metadata.c +++ b/camera/src/camera_metadata.c @@ -14,6 +14,7 @@ * limitations under the License. */ +#define _GNU_SOURCE // for fdprintf #include <inttypes.h> #include <system/camera_metadata.h> #include <camera_metadata_hidden.h> @@ -390,8 +391,15 @@ int validate_camera_metadata_structure(const camera_metadata_t *metadata, return ERROR; } - const metadata_uptrdiff_t entries_end = - metadata->entries_start + metadata->entry_capacity; + if (metadata->data_count > metadata->data_capacity) { + ALOGE("%s: Data count (%" PRIu32 ") should be <= data capacity " + "(%" PRIu32 ")", + __FUNCTION__, metadata->data_count, metadata->data_capacity); + android_errorWriteLog(SN_EVENT_LOG_ID, "30591838"); + return ERROR; + } + + const metadata_uptrdiff_t entries_end = metadata->entries_start + metadata->entry_capacity; if (entries_end < metadata->entries_start || // overflow check entries_end > metadata->data_start) { @@ -496,6 +504,10 @@ int append_camera_metadata(camera_metadata_t *dst, const camera_metadata_t *src) { if (dst == NULL || src == NULL ) return ERROR; + // Check for overflow + if (src->entry_count + dst->entry_count < src->entry_count) return ERROR; + if (src->data_count + dst->data_count < src->data_count) return ERROR; + // Check for space if (dst->entry_capacity < src->entry_count + dst->entry_count) return ERROR; if (dst->data_capacity < src->data_count + dst->data_count) return ERROR; |