From c59a656f9923a0e2fc308dabc373594e88b345d1 Mon Sep 17 00:00:00 2001
From: Eino-Ville Talvala <etalvala@google.com>
Date: Wed, 1 Feb 2017 15:27:41 -0800
Subject: CameraBase: Don't return an sp<> by reference

If the server dies, the binder death callback clears out
the global camera service sp<>, and any current references to it
will become quite unhappy.

Test: Camera CTS passes
Bug: 31992879
AOSP-Change-Id: I2966bed35d0319e3f26e3d4b1b8dc08006a22348

CVE-2017-0544

Change-Id: Ib7ef455366927b0471f8fcabdd5a54e38e375d41
(cherry picked from commit 4b49489c12e6862e9a320ebcb53872e809ed20ec)
---
 camera/CameraBase.cpp       | 10 +++++-----
 include/camera/CameraBase.h |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/camera/CameraBase.cpp b/camera/CameraBase.cpp
index 5d50aa8..871dcea 100644
--- a/camera/CameraBase.cpp
+++ b/camera/CameraBase.cpp
@@ -65,7 +65,7 @@ namespace {
 
 // establish binder interface to camera service
 template <typename TCam, typename TCamTraits>
-const sp<ICameraService>& CameraBase<TCam, TCamTraits>::getCameraService()
+const sp<ICameraService> CameraBase<TCam, TCamTraits>::getCameraService()
 {
     Mutex::Autolock _l(gLock);
     if (gCameraService.get() == 0) {
@@ -98,7 +98,7 @@ sp<TCam> CameraBase<TCam, TCamTraits>::connect(int cameraId,
     sp<TCam> c = new TCam(cameraId);
     sp<TCamCallbacks> cl = c;
     status_t status = NO_ERROR;
-    const sp<ICameraService>& cs = getCameraService();
+    const sp<ICameraService> cs = getCameraService();
 
     if (cs != 0) {
         TCamConnectService fnConnectService = TCamTraits::fnConnectService;
@@ -195,7 +195,7 @@ int CameraBase<TCam, TCamTraits>::getNumberOfCameras() {
 template <typename TCam, typename TCamTraits>
 status_t CameraBase<TCam, TCamTraits>::getCameraInfo(int cameraId,
                                struct CameraInfo* cameraInfo) {
-    const sp<ICameraService>& cs = getCameraService();
+    const sp<ICameraService> cs = getCameraService();
     if (cs == 0) return UNKNOWN_ERROR;
     return cs->getCameraInfo(cameraId, cameraInfo);
 }
@@ -203,7 +203,7 @@ status_t CameraBase<TCam, TCamTraits>::getCameraInfo(int cameraId,
 template <typename TCam, typename TCamTraits>
 status_t CameraBase<TCam, TCamTraits>::addServiceListener(
                             const sp<ICameraServiceListener>& listener) {
-    const sp<ICameraService>& cs = getCameraService();
+    const sp<ICameraService> cs = getCameraService();
     if (cs == 0) return UNKNOWN_ERROR;
     return cs->addListener(listener);
 }
@@ -211,7 +211,7 @@ status_t CameraBase<TCam, TCamTraits>::addServiceListener(
 template <typename TCam, typename TCamTraits>
 status_t CameraBase<TCam, TCamTraits>::removeServiceListener(
                             const sp<ICameraServiceListener>& listener) {
-    const sp<ICameraService>& cs = getCameraService();
+    const sp<ICameraService> cs = getCameraService();
     if (cs == 0) return UNKNOWN_ERROR;
     return cs->removeListener(listener);
 }
diff --git a/include/camera/CameraBase.h b/include/camera/CameraBase.h
index 1b93157..4c849de 100644
--- a/include/camera/CameraBase.h
+++ b/include/camera/CameraBase.h
@@ -101,7 +101,7 @@ protected:
     virtual void                     binderDied(const wp<IBinder>& who);
 
     // helper function to obtain camera service handle
-    static const sp<ICameraService>& getCameraService();
+    static const sp<ICameraService> getCameraService();
 
     sp<TCamUser>                     mCamera;
     status_t                         mStatus;
-- 
cgit v1.1