From e2b60c810282b7cd09af8544dd479ff5adba46f0 Mon Sep 17 00:00:00 2001
From: Eino-Ville Talvala <etalvala@google.com>
Date: Fri, 17 Jul 2015 16:21:44 -0700
Subject: CameraMetadata: Add sanity check to avoid accidental memory
 corruption.

Update shouldn't be called with a pointer from the metadata structure
being updated, since it might be resized.  The API really needs rework,
but until that happens, detect this condition and error out.

Bug: 22542551
Change-Id: I896c34d8134ac3b101d050fc8aa5d203a08e7267
---
 camera/CameraMetadata.cpp | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'camera')

diff --git a/camera/CameraMetadata.cpp b/camera/CameraMetadata.cpp
index b96a88f..46bcc1d 100644
--- a/camera/CameraMetadata.cpp
+++ b/camera/CameraMetadata.cpp
@@ -289,6 +289,17 @@ status_t CameraMetadata::updateImpl(uint32_t tag, const void *data,
         ALOGE("%s: Tag %d not found", __FUNCTION__, tag);
         return BAD_VALUE;
     }
+    // Safety check - ensure that data isn't pointing to this metadata, since
+    // that would get invalidated if a resize is needed
+    size_t bufferSize = get_camera_metadata_size(mBuffer);
+    uintptr_t bufAddr = reinterpret_cast<uintptr_t>(mBuffer);
+    uintptr_t dataAddr = reinterpret_cast<uintptr_t>(data);
+    if (dataAddr > bufAddr && dataAddr < (bufAddr + bufferSize)) {
+        ALOGE("%s: Update attempted with data from the same metadata buffer!",
+                __FUNCTION__);
+        return INVALID_OPERATION;
+    }
+
     size_t data_size = calculate_camera_metadata_entry_data_size(type,
             data_count);
 
-- 
cgit v1.1