Merge tag 'android-9.0.0_r56' of https://android.googlesource.com/platform/frameworks/av into staging/lineage-16.0_merge-android-9.0.0_r56lineage-16.0

Android 9.0.0 release 56 * tag 'android-9.0.0_r56' of https://android.googlesource.com/platform/frameworks/av: RESTRICT AUTOMERGE: Camera: fix use after free in sensor timestamp BnCrypto: fix use-before-init in CREATE_PLUGIN Change-Id: I9712d0a8156bf26fa6fb803e061ac58cc5904aae
author: Kevin F. Haggerty <haggertk@lineageos.org> 2020-05-05 07:22:23 -0600
committer: Kevin F. Haggerty <haggertk@lineageos.org> 2020-05-05 07:22:23 -0600
commit: f291728d220a3142316af0e7390db9a8e849934c (patch)
tree: 868df4949da1884367aba01cd17cf4e158018f04
parent: bac69e690808c0290464e32dbb1e97cd5342e181 (diff)
parent: 5c06c66e2cc55a76a92879bdd977d945d785f602 (diff)
download: frameworks_av-lineage-16.0.tar.gz
frameworks_av-lineage-16.0.tar.bz2
frameworks_av-lineage-16.0.zip
2 files changed, 15 insertions, 4 deletions
diff --git a/drm/libmediadrm/ICrypto.cpp b/drm/libmediadrm/ICrypto.cpp
index a2594aa2d8..8d8d0880b2 100644
--- a/drm/libmediadrm/ICrypto.cpp
+++ b/drm/libmediadrm/ICrypto.cpp
@@ -264,8 +264,12 @@ status_t BnCrypto::onTransact(
         {
             CHECK_INTERFACE(ICrypto, data, reply);
 
-            uint8_t uuid[16];
-            data.read(uuid, sizeof(uuid));
+            uint8_t uuid[16] = {0};
+            if (data.read(uuid, sizeof(uuid)) != NO_ERROR) {
+                android_errorWriteLog(0x534e4554, "144767096");
+                reply->writeInt32(BAD_VALUE);
+                return OK;
+            }
 
             size_t opaqueSize = data.readInt32();
             void *opaqueData = NULL;
@@ -280,7 +284,11 @@ status_t BnCrypto::onTransact(
                 return NO_MEMORY;
             }
 
-            data.read(opaqueData, opaqueSize);
+            if (data.read(opaqueData, opaqueSize) != NO_ERROR) {
+                android_errorWriteLog(0x534e4554, "144767096");
+                reply->writeInt32(BAD_VALUE);
+                return OK;
+            }
             reply->writeInt32(createPlugin(uuid, opaqueData, opaqueSize));
 
             free(opaqueData);
diff --git a/services/camera/libcameraservice/device3/Camera3Device.cpp b/services/camera/libcameraservice/device3/Camera3Device.cpp
index 3409b32cec..1b85576259 100644
--- a/services/camera/libcameraservice/device3/Camera3Device.cpp
+++ b/services/camera/libcameraservice/device3/Camera3Device.cpp
@@ -3029,6 +3029,9 @@ void Camera3Device::sendCaptureResult(CameraMetadata &pendingMetadata,
                 frameNumber);
         return;
     }
+
+    nsecs_t sensorTimestamp = timestamp.data.i64[0];
+
     for (auto& physicalMetadata : captureResult.mPhysicalMetadatas) {
         camera_metadata_entry timestamp =
                 physicalMetadata.mPhysicalCameraMetadata.find(ANDROID_SENSOR_TIMESTAMP);
@@ -3048,7 +3051,7 @@ void Camera3Device::sendCaptureResult(CameraMetadata &pendingMetadata,
     }
 
     mTagMonitor.monitorMetadata(TagMonitor::RESULT,
-            frameNumber, timestamp.data.i64[0], captureResult.mMetadata);
+            frameNumber, sensorTimestamp, captureResult.mMetadata);
 
     insertResultLocked(&captureResult, frameNumber);
 }
author	Kevin F. Haggerty <haggertk@lineageos.org>	2020-05-05 07:22:23 -0600
committer	Kevin F. Haggerty <haggertk@lineageos.org>	2020-05-05 07:22:23 -0600
commit	f291728d220a3142316af0e7390db9a8e849934c (patch)
tree	868df4949da1884367aba01cd17cf4e158018f04
parent	bac69e690808c0290464e32dbb1e97cd5342e181 (diff)
parent	5c06c66e2cc55a76a92879bdd977d945d785f602 (diff)
download	frameworks_av-lineage-16.0.tar.gz frameworks_av-lineage-16.0.tar.bz2 frameworks_av-lineage-16.0.zip