Camera metadata: Check source metadata size

Source size passed by client could be smaller than 'camera_metadata_t'. In this case the cast in 'allocate_copy_camera_metadata_checked()' will be incorrect and we will try to access invalid heap memory. Bug: 67782345 Test: Camera CTS Change-Id: I9582c704f414493978d09ffb603b5e8368cda5ce (cherry picked from commit 489bbd13bf0add8029444b9d9505b3d118776ea3) CVE-2017-13210
author: Emilian Peev <epeev@google.com> 2017-11-06 10:41:19 +0000
committer: MSe <mse1969@posteo.de> 2018-01-10 20:35:36 +0100
commit: 4683e985ad9c01d79f65d97fb0c9c95fbd1b9028 (patch)
tree: a137ba380cf538d4fbf90c1f81d3f4e9bb305bb3
parent: c37b3f880a73397521518c1e7bae0a8a5c45764e (diff)
download: android_system_media-4683e985ad9c01d79f65d97fb0c9c95fbd1b9028.tar.gz
android_system_media-4683e985ad9c01d79f65d97fb0c9c95fbd1b9028.tar.bz2
android_system_media-4683e985ad9c01d79f65d97fb0c9c95fbd1b9028.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/camera/src/camera_metadata.c b/camera/src/camera_metadata.c
index 82e88da7..eb0c6c40 100644
--- a/camera/src/camera_metadata.c
+++ b/camera/src/camera_metadata.c
@@ -183,6 +183,12 @@ camera_metadata_t *allocate_copy_camera_metadata_checked(
         return NULL;
     }
 
+    if (src_size < sizeof(camera_metadata_t)) {
+        ALOGE("%s: Source size too small!", __FUNCTION__);
+        android_errorWriteLog(0x534e4554, "67782345");
+        return NULL;
+    }
+
     void *buffer = malloc(src_size);
     memcpy(buffer, src, src_size);
author	Emilian Peev <epeev@google.com>	2017-11-06 10:41:19 +0000
committer	MSe <mse1969@posteo.de>	2018-01-10 20:35:36 +0100
commit	4683e985ad9c01d79f65d97fb0c9c95fbd1b9028 (patch)
tree	a137ba380cf538d4fbf90c1f81d3f4e9bb305bb3
parent	c37b3f880a73397521518c1e7bae0a8a5c45764e (diff)
download	android_system_media-4683e985ad9c01d79f65d97fb0c9c95fbd1b9028.tar.gz android_system_media-4683e985ad9c01d79f65d97fb0c9c95fbd1b9028.tar.bz2 android_system_media-4683e985ad9c01d79f65d97fb0c9c95fbd1b9028.zip