Check frame handle validity before freeing buffer.

in CameraSource::releaseRecordingFrame(), validate the
VideoNativeHandleMetadata field when received. Avoid releasing
invalid handles (and thus invalid memory) if this has been
corrupted in user space.

Bug: 37662122
Test: poc before/after on nyc-mr2
(cherry picked from commit 7eb18466d9ee817ae1087ddc895902e8eae05535)

Change-Id: Icb982d410677c3092f9eb611acaaba42b86e5f06
diff --git a/media/libstagefright/CameraSource.cpp b/media/libstagefright/CameraSource.cpp
index a569f5d..1cd7693 100644
--- a/media/libstagefright/CameraSource.cpp
+++ b/media/libstagefright/CameraSource.cpp
@@ -970,6 +970,14 @@
         }
 
         if (handle != nullptr) {
+            ssize_t offset;
+            size_t size;
+            sp<IMemoryHeap> heap = frame->getMemory(&offset, &size);
+            if (heap->getHeapID() != mMemoryHeapBase->getHeapID()) {
+                ALOGE("%s: Mismatched heap ID, ignoring release (got %x, expected %x)",
+		     __FUNCTION__, heap->getHeapID(), mMemoryHeapBase->getHeapID());
+                return;
+            }
             uint32_t batchSize = 0;
             {
                 Mutex::Autolock autoLock(mBatchLock);