Camera metadata: Check source metadata size Source size passed by client could be smaller than 'camera_metadata_t'. In this case the cast in 'allocate_copy_camera_metadata_checked()' will be incorrect and we will try to access invalid heap memory. Bug: 67782345 Test: Camera CTS Change-Id: I9582c704f414493978d09ffb603b5e8368cda5ce (cherry picked from commit 489bbd13bf0add8029444b9d9505b3d118776ea3)

commit: f378adfe06c0c1da224d1c906b7d49b11720e395 [log] [tgz]
author: Emilian Peev <epeev@google.com> Mon Nov 06 10:41:19 2017 +0000
committer: Nikoli Cartagena <dargeren@google.com> Tue Nov 28 21:27:39 2017 -0800
tree: eba582dc8d09a29d1ad5b7163b243a6eeff26f2d
parent: 34893ec78fce2961bccaee6f81448c2fcfb7811d [diff]
diff --git a/camera/src/camera_metadata.c b/camera/src/camera_metadata.c
index dc80086..e99abc4 100644
--- a/camera/src/camera_metadata.c
+++ b/camera/src/camera_metadata.c

@@ -228,6 +228,12 @@
         return NULL;
     }
 
+    if (src_size < sizeof(camera_metadata_t)) {
+        ALOGE("%s: Source size too small!", __FUNCTION__);
+        android_errorWriteLog(0x534e4554, "67782345");
+        return NULL;
+    }
+
     void *buffer = malloc(src_size);
     memcpy(buffer, src, src_size);
commit	f378adfe06c0c1da224d1c906b7d49b11720e395	[log] [tgz]
author	Emilian Peev <epeev@google.com>	Mon Nov 06 10:41:19 2017 +0000
committer	Nikoli Cartagena <dargeren@google.com>	Tue Nov 28 21:27:39 2017 -0800
tree	eba582dc8d09a29d1ad5b7163b243a6eeff26f2d
parent	34893ec78fce2961bccaee6f81448c2fcfb7811d [diff]