From 8d0a86a45af999de64805bf471b60cc7120b8076 Mon Sep 17 00:00:00 2001 From: Eino-Ville Talvala Date: Tue, 16 Aug 2016 15:48:05 -0700 Subject: Camera metadata: Check for inconsistent data count Resolve Merge conflic for mnc-mr2-release Also check for overflow of data/entry count on append. Bug: 30591838 Change-Id: Ibf4c3c6e236cdb28234f3125055d95ef0a2416a2 --- camera/src/camera_metadata.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/camera/src/camera_metadata.c b/camera/src/camera_metadata.c index 9bb58cb7..82e88da7 100644 --- a/camera/src/camera_metadata.c +++ b/camera/src/camera_metadata.c @@ -14,6 +14,7 @@ * limitations under the License. */ +#define _GNU_SOURCE // for fdprintf #include #include #include @@ -390,8 +391,17 @@ int validate_camera_metadata_structure(const camera_metadata_t *metadata, return ERROR; } + if (metadata->data_count > metadata->data_capacity) { + ALOGE("%s: Data count (%" PRIu32 ") should be <= data capacity " + "(%" PRIu32 ")", + __FUNCTION__, metadata->data_count, metadata->data_capacity); + android_errorWriteLog(SN_EVENT_LOG_ID, "30591838"); + return ERROR; + } const metadata_uptrdiff_t entries_end = metadata->entries_start + metadata->entry_capacity; + + if (entries_end < metadata->entries_start || // overflow check entries_end > metadata->data_start) { @@ -496,6 +506,10 @@ int append_camera_metadata(camera_metadata_t *dst, const camera_metadata_t *src) { if (dst == NULL || src == NULL ) return ERROR; + // Check for overflow + if (src->entry_count + dst->entry_count < src->entry_count) return ERROR; + if (src->data_count + dst->data_count < src->data_count) return ERROR; + // Check for space if (dst->entry_capacity < src->entry_count + dst->entry_count) return ERROR; if (dst->data_capacity < src->data_count + dst->data_count) return ERROR; -- cgit v1.2.3