Camera metadata: Check for inconsistent data count
Also check for overflow of data/entry count on append.
Bug: 30591838
(Cherry-pick from Change-Id: Ibf4c3c6e236cdb28234f3125055d95ef0a2416a2)
Change-Id: I1b9bd51bc3add785d3b9feb48acb999bafca3388
diff --git a/camera/src/camera_metadata.c b/camera/src/camera_metadata.c
index 9bb58cb..99277f7 100644
--- a/camera/src/camera_metadata.c
+++ b/camera/src/camera_metadata.c
@@ -13,7 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-
+#define _GNU_SOURCE // for fdprintf
#include <inttypes.h>
#include <system/camera_metadata.h>
#include <camera_metadata_hidden.h>
@@ -390,6 +390,14 @@
return ERROR;
}
+ if (metadata->data_count > metadata->data_capacity) {
+ ALOGE("%s: Data count (%" PRIu32 ") should be <= data capacity "
+ "(%" PRIu32 ")",
+ __FUNCTION__, metadata->data_count, metadata->data_capacity);
+ android_errorWriteLog(SN_EVENT_LOG_ID, "30591838");
+ return ERROR;
+ }
+
const metadata_uptrdiff_t entries_end =
metadata->entries_start + metadata->entry_capacity;
if (entries_end < metadata->entries_start || // overflow check
@@ -496,6 +504,10 @@
const camera_metadata_t *src) {
if (dst == NULL || src == NULL ) return ERROR;
+ // Check for overflow
+ if (src->entry_count + dst->entry_count < src->entry_count) return ERROR;
+ if (src->data_count + dst->data_count < src->data_count) return ERROR;
+ // Check for space
if (dst->entry_capacity < src->entry_count + dst->entry_count) return ERROR;
if (dst->data_capacity < src->data_count + dst->data_count) return ERROR;