Camera metadata: Check source metadata size
Source size passed by client could be smaller than 'camera_metadata_t'.
In this case the cast in 'allocate_copy_camera_metadata_checked()' will
be incorrect and we will try to access invalid heap memory.
Bug: 67782345
Test: Camera CTS
Change-Id: I9582c704f414493978d09ffb603b5e8368cda5ce
(cherry picked from commit 489bbd13bf0add8029444b9d9505b3d118776ea3)
diff --git a/camera/src/camera_metadata.c b/camera/src/camera_metadata.c
index dc80086..e99abc4 100644
--- a/camera/src/camera_metadata.c
+++ b/camera/src/camera_metadata.c
@@ -228,6 +228,12 @@
return NULL;
}
+ if (src_size < sizeof(camera_metadata_t)) {
+ ALOGE("%s: Source size too small!", __FUNCTION__);
+ android_errorWriteLog(0x534e4554, "67782345");
+ return NULL;
+ }
+
void *buffer = malloc(src_size);
memcpy(buffer, src, src_size);