From c59a656f9923a0e2fc308dabc373594e88b345d1 Mon Sep 17 00:00:00 2001
From: Eino-Ville Talvala <etalvala@google.com>
Date: Wed, 1 Feb 2017 15:27:41 -0800
Subject: CameraBase: Don't return an sp<> by reference

If the server dies, the binder death callback clears out
the global camera service sp<>, and any current references to it
will become quite unhappy.

Test: Camera CTS passes
Bug: 31992879
AOSP-Change-Id: I2966bed35d0319e3f26e3d4b1b8dc08006a22348

CVE-2017-0544

Change-Id: Ib7ef455366927b0471f8fcabdd5a54e38e375d41
(cherry picked from commit 4b49489c12e6862e9a320ebcb53872e809ed20ec)
---
 include/camera/CameraBase.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'include/camera/CameraBase.h')

diff --git a/include/camera/CameraBase.h b/include/camera/CameraBase.h
index 1b93157..4c849de 100644
--- a/include/camera/CameraBase.h
+++ b/include/camera/CameraBase.h
@@ -101,7 +101,7 @@ protected:
     virtual void                     binderDied(const wp<IBinder>& who);
 
     // helper function to obtain camera service handle
-    static const sp<ICameraService>& getCameraService();
+    static const sp<ICameraService> getCameraService();
 
     sp<TCamUser>                     mCamera;
     status_t                         mStatus;
-- 
cgit v1.1