From c530c5973f425f574fc5e4add205938e5f040ab4 Mon Sep 17 00:00:00 2001
From: Yin-Chia Yeh <yinchiayeh@google.com>
Date: Mon, 9 Mar 2020 14:50:36 -0700
Subject: [PATCH] Camera: fix use after free in sensor timestamp

The metadata object might be overriden later and has it memory
re-allocated; hence snaping the sensor timestamp value before
we call into any method that might change the metadata.

Test: build
Bug: 150944913
Merged-In: I0f944fc9133d3ab279859f20236d956d7ca338f8
Change-Id: I0f944fc9133d3ab279859f20236d956d7ca338f8
(cherry picked from commit 60afc2fd8dab203a5697adbdb8dd4718d00bd9f1)
---
 .../camera/libcameraservice/device3/Camera3OutputUtils.cpp    | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/services/camera/libcameraservice/device3/Camera3OutputUtils.cpp b/services/camera/libcameraservice/device3/Camera3OutputUtils.cpp
index 238356e89d..4c8366ff57 100644
--- a/services/camera/libcameraservice/device3/Camera3OutputUtils.cpp
+++ b/services/camera/libcameraservice/device3/Camera3OutputUtils.cpp
@@ -246,6 +246,8 @@ void sendCaptureResult(
                 frameNumber);
         return;
     }
+    nsecs_t sensorTimestamp = timestamp.data.i64[0];
+
     for (auto& physicalMetadata : captureResult.mPhysicalMetadatas) {
         camera_metadata_entry timestamp =
                 physicalMetadata.mPhysicalCameraMetadata.find(ANDROID_SENSOR_TIMESTAMP);
@@ -337,7 +339,7 @@ void sendCaptureResult(
                 CameraMetadata(m.mPhysicalCameraMetadata));
     }
     states.tagMonitor.monitorMetadata(TagMonitor::RESULT,
-            frameNumber, timestamp.data.i64[0], captureResult.mMetadata,
+            frameNumber, sensorTimestamp, captureResult.mMetadata,
             monitoredPhysicalMetadata);
 
     insertResultLocked(states, &captureResult, frameNumber);