From eff134a61a5dd081ee578628704a66dca24e0cf7 Mon Sep 17 00:00:00 2001
From: Ruben Brunk <rubenbrunk@google.com>
Date: Fri, 17 Jul 2015 15:22:01 -0700
Subject: Fix UAF error in CameraModule.

Bug: 22542551
Change-Id: I2fe5791a6554a8e2f7fd94593d552d8af18257db
---
 services/camera/libcameraservice/common/CameraModule.cpp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'services')

diff --git a/services/camera/libcameraservice/common/CameraModule.cpp b/services/camera/libcameraservice/common/CameraModule.cpp
index 1ae01ae..6a4dfe0 100644
--- a/services/camera/libcameraservice/common/CameraModule.cpp
+++ b/services/camera/libcameraservice/common/CameraModule.cpp
@@ -136,9 +136,10 @@ void CameraModule::deriveCameraCharacteristicsKeys(
     // Always add a default for the pre-correction active array if the vendor chooses to omit this
     camera_metadata_entry entry = chars.find(ANDROID_SENSOR_INFO_PRE_CORRECTION_ACTIVE_ARRAY_SIZE);
     if (entry.count == 0) {
+        Vector<int32_t> preCorrectionArray;
         entry = chars.find(ANDROID_SENSOR_INFO_ACTIVE_ARRAY_SIZE);
-        chars.update(ANDROID_SENSOR_INFO_PRE_CORRECTION_ACTIVE_ARRAY_SIZE, entry.data.i32,
-                entry.count);
+        preCorrectionArray.appendArray(entry.data.i32, entry.count);
+        chars.update(ANDROID_SENSOR_INFO_PRE_CORRECTION_ACTIVE_ARRAY_SIZE, preCorrectionArray);
     }
 
     return;
-- 
cgit v1.1