diff options
author | Emilian Peev <epeev@google.com> | 2017-11-06 10:41:19 +0000 |
---|---|---|
committer | MSe <mse1969@posteo.de> | 2018-01-10 20:35:36 +0100 |
commit | 4683e985ad9c01d79f65d97fb0c9c95fbd1b9028 (patch) | |
tree | a137ba380cf538d4fbf90c1f81d3f4e9bb305bb3 | |
parent | c37b3f880a73397521518c1e7bae0a8a5c45764e (diff) | |
download | android_system_media-4683e985ad9c01d79f65d97fb0c9c95fbd1b9028.tar.gz android_system_media-4683e985ad9c01d79f65d97fb0c9c95fbd1b9028.tar.bz2 android_system_media-4683e985ad9c01d79f65d97fb0c9c95fbd1b9028.zip |
Camera metadata: Check source metadata size
Source size passed by client could be smaller than 'camera_metadata_t'.
In this case the cast in 'allocate_copy_camera_metadata_checked()' will
be incorrect and we will try to access invalid heap memory.
Bug: 67782345
Test: Camera CTS
Change-Id: I9582c704f414493978d09ffb603b5e8368cda5ce
(cherry picked from commit 489bbd13bf0add8029444b9d9505b3d118776ea3)
CVE-2017-13210
-rw-r--r-- | camera/src/camera_metadata.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/camera/src/camera_metadata.c b/camera/src/camera_metadata.c index 82e88da7..eb0c6c40 100644 --- a/camera/src/camera_metadata.c +++ b/camera/src/camera_metadata.c @@ -183,6 +183,12 @@ camera_metadata_t *allocate_copy_camera_metadata_checked( return NULL; } + if (src_size < sizeof(camera_metadata_t)) { + ALOGE("%s: Source size too small!", __FUNCTION__); + android_errorWriteLog(0x534e4554, "67782345"); + return NULL; + } + void *buffer = malloc(src_size); memcpy(buffer, src, src_size); |