DO NOT MERGE Check frame handle validity before freeing buffer. in CameraSource::releaseRecordingFrame(), validate the VideoNativeHandleMetadata field when received. Avoid releasing invalid handles (and thus invalid memory) if this has been corrupted in user space. Bug: 37662122 Test: poc before/after on nyc-mr2 Change-Id: If48c050a5c20552604a90f19130ad5837e80bf52 (cherry picked from commit e779e08977ff0be086cae86c8d05e55805a967a4)

commit: 0be8a2541594feec746195d6dbbc0db6c602175e [log] [tgz]
author: Ray Essick <essick@google.com> Mon Jun 19 10:40:56 2017 -0700
committer: android-build-team Robot <android-build-team-robot@google.com> Wed Aug 02 17:49:52 2017 +0000
tree: b38655df4629e83460c61b022fb967ff04141771
parent: 9cb10d49b1319ea1207cc2f445089aa9266ffc71 [diff]
diff --git a/media/libstagefright/CameraSource.cpp b/media/libstagefright/CameraSource.cpp
index 893da89..b7d9965 100644
--- a/media/libstagefright/CameraSource.cpp
+++ b/media/libstagefright/CameraSource.cpp

@@ -950,6 +950,14 @@
 
         if (handle != nullptr) {
             // Frame contains a VideoNativeHandleMetadata. Send the handle back to camera.
+            ssize_t offset;
+            size_t size;
+            sp<IMemoryHeap> heap = frame->getMemory(&offset, &size);
+            if (heap->getHeapID() != mMemoryHeapBase->getHeapID()) {
+                ALOGE("%s: Mismatched heap ID, ignoring release (got %x, expected %x)",
+		     __FUNCTION__, heap->getHeapID(), mMemoryHeapBase->getHeapID());
+                return;
+            }
             releaseRecordingFrameHandle(handle);
             mMemoryBases.push_back(frame);
             mMemoryBaseAvailableCond.signal();
commit	0be8a2541594feec746195d6dbbc0db6c602175e	[log] [tgz]
author	Ray Essick <essick@google.com>	Mon Jun 19 10:40:56 2017 -0700
committer	android-build-team Robot <android-build-team-robot@google.com>	Wed Aug 02 17:49:52 2017 +0000
tree	b38655df4629e83460c61b022fb967ff04141771
parent	9cb10d49b1319ea1207cc2f445089aa9266ffc71 [diff]