FPII-2381 Elevation of privilege vulnerability in Camera service CVE-2016-3915 A-30591838
Elevation of privilege vulnerability in Camera service CVE-2016-3915 A-30591838
Change-Id: I1ce7b17d26c790a1acb702c1489e73bfaba98ab1
diff --git a/camera/src/camera_metadata.c b/camera/src/camera_metadata.c
index 1202d91..60c57ff 100644
--- a/camera/src/camera_metadata.c
+++ b/camera/src/camera_metadata.c
@@ -14,6 +14,7 @@
* limitations under the License.
*/
+#define _GNU_SOURCE // for fdprintf
#include <inttypes.h>
#include <system/camera_metadata.h>
#include <camera_metadata_hidden.h>
@@ -390,6 +391,14 @@
return ERROR;
}
+ if (metadata->data_count > metadata->data_capacity) {
+ ALOGE("%s: Data count (%" PRIu32 ") should be <= data capacity "
+ "(%" PRIu32 ")",
+ __FUNCTION__, metadata->data_count, metadata->data_capacity);
+ android_errorWriteLog(SN_EVENT_LOG_ID, "30591838");
+ return ERROR;
+ }
+
const metadata_uptrdiff_t entries_end =
metadata->entries_start + metadata->entry_capacity;
if (entries_end < metadata->entries_start || // overflow check
@@ -495,6 +504,10 @@
const camera_metadata_t *src) {
if (dst == NULL || src == NULL ) return ERROR;
+ // Check for overflow
+ if (src->entry_count + dst->entry_count < src->entry_count) return ERROR;
+ if (src->data_count + dst->data_count < src->data_count) return ERROR;
+ // Check for space
if (dst->entry_capacity < src->entry_count + dst->entry_count) return ERROR;
if (dst->data_capacity < src->data_count + dst->data_count) return ERROR;