diff options
| author | Eino-Ville Talvala <etalvala@google.com> | 2015-07-17 16:21:44 -0700 |
|---|---|---|
| committer | Eino-Ville Talvala <etalvala@google.com> | 2015-07-17 16:41:31 -0700 |
| commit | e2b60c810282b7cd09af8544dd479ff5adba46f0 (patch) | |
| tree | 314001856b6ecdb6708c3cba3c642771666259af /camera | |
| parent | b9f72ab0b0b7582e021d369e7179022f7be5b37d (diff) | |
| download | frameworks_av-e2b60c810282b7cd09af8544dd479ff5adba46f0.zip frameworks_av-e2b60c810282b7cd09af8544dd479ff5adba46f0.tar.gz frameworks_av-e2b60c810282b7cd09af8544dd479ff5adba46f0.tar.bz2 | |
CameraMetadata: Add sanity check to avoid accidental memory corruption.
Update shouldn't be called with a pointer from the metadata structure
being updated, since it might be resized. The API really needs rework,
but until that happens, detect this condition and error out.
Bug: 22542551
Change-Id: I896c34d8134ac3b101d050fc8aa5d203a08e7267
Diffstat (limited to 'camera')
| -rw-r--r-- | camera/CameraMetadata.cpp | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/camera/CameraMetadata.cpp b/camera/CameraMetadata.cpp index b96a88f..46bcc1d 100644 --- a/camera/CameraMetadata.cpp +++ b/camera/CameraMetadata.cpp @@ -289,6 +289,17 @@ status_t CameraMetadata::updateImpl(uint32_t tag, const void *data, ALOGE("%s: Tag %d not found", __FUNCTION__, tag); return BAD_VALUE; } + // Safety check - ensure that data isn't pointing to this metadata, since + // that would get invalidated if a resize is needed + size_t bufferSize = get_camera_metadata_size(mBuffer); + uintptr_t bufAddr = reinterpret_cast<uintptr_t>(mBuffer); + uintptr_t dataAddr = reinterpret_cast<uintptr_t>(data); + if (dataAddr > bufAddr && dataAddr < (bufAddr + bufferSize)) { + ALOGE("%s: Update attempted with data from the same metadata buffer!", + __FUNCTION__); + return INVALID_OPERATION; + } + size_t data_size = calculate_camera_metadata_entry_data_size(type, data_count); |