Merge "Camera: Validate face count in received metadata" into rvc-dev am: fdb7e3c281 am: 554e4897e7 Change-Id: Ie454624a80d04540aec9424d1a16c9bd63024235

commit: a60859f945daf744696b8e8b3ac6d85c9d98050c [log] [tgz]
author: Eino-Ville Talvala <etalvala@google.com> Thu Apr 30 01:17:23 2020 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Thu Apr 30 01:17:23 2020 +0000
tree: 2be45154745086c1d0cf0d4a22f99f0fadfa0142
parent: 3fe8606c68eb68a63610865f29cba9f1e552ea8a [diff]
parent: 554e4897e7f002893b251d99fc393a83363b7110 [diff]
diff --git a/camera/ICameraClient.cpp b/camera/ICameraClient.cpp
index 8620f36..487b8b0 100644
--- a/camera/ICameraClient.cpp
+++ b/camera/ICameraClient.cpp

@@ -143,6 +143,11 @@
             if (data.dataAvail() > 0) {
                 metadata = new camera_frame_metadata_t;
                 metadata->number_of_faces = data.readInt32();
+                if (metadata->number_of_faces <= 0 ||
+                        metadata->number_of_faces > (int32_t)(INT32_MAX / sizeof(camera_face_t))) {
+                    ALOGE("%s: Too large face count: %d", __FUNCTION__, metadata->number_of_faces);
+                    return BAD_VALUE;
+                }
                 metadata->faces = (camera_face_t *) data.readInplace(
                         sizeof(camera_face_t) * metadata->number_of_faces);
             }
commit	a60859f945daf744696b8e8b3ac6d85c9d98050c	[log] [tgz]
author	Eino-Ville Talvala <etalvala@google.com>	Thu Apr 30 01:17:23 2020 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	Thu Apr 30 01:17:23 2020 +0000
tree	2be45154745086c1d0cf0d4a22f99f0fadfa0142
parent	3fe8606c68eb68a63610865f29cba9f1e552ea8a [diff]
parent	554e4897e7f002893b251d99fc393a83363b7110 [diff]