From 649a27ad16faeb7a6bf87a50a33d19d461ece27c Mon Sep 17 00:00:00 2001
From: Emilian Peev <epeev@google.com>
Date: Tue, 18 Feb 2020 13:38:04 -0800
Subject: [PATCH] Camera: Fix possible ExifUtils heap corruption

Both EXIF_TAG_IMAGE_WIDTH and EXIF_TAG_IMAGE_LENGTH
expect short values as per EXIF spec. Call appropriate
libexif function to avoid possible heap corruption.

Bug: 148223871
Test: run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Poc20_02#testPocBug_148223871
Change-Id: I57a774454b52c16d7da9f90d7e3a3407294606a5
---
 services/camera/libcameraservice/utils/ExifUtils.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/services/camera/libcameraservice/utils/ExifUtils.cpp b/services/camera/libcameraservice/utils/ExifUtils.cpp
index c0afdc18ca..8a0303a8e0 100644
--- a/services/camera/libcameraservice/utils/ExifUtils.cpp
+++ b/services/camera/libcameraservice/utils/ExifUtils.cpp
@@ -603,13 +603,13 @@ bool ExifUtilsImpl::setGpsTimestamp(const struct tm& t) {
 }
 
 bool ExifUtilsImpl::setImageHeight(uint32_t length) {
-    SET_LONG(EXIF_IFD_0, EXIF_TAG_IMAGE_LENGTH, length);
+    SET_SHORT(EXIF_IFD_0, EXIF_TAG_IMAGE_LENGTH, length);
     SET_LONG(EXIF_IFD_EXIF, EXIF_TAG_PIXEL_Y_DIMENSION, length);
     return true;
 }
 
 bool ExifUtilsImpl::setImageWidth(uint32_t width) {
-    SET_LONG(EXIF_IFD_0, EXIF_TAG_IMAGE_WIDTH, width);
+    SET_SHORT(EXIF_IFD_0, EXIF_TAG_IMAGE_WIDTH, width);
     SET_LONG(EXIF_IFD_EXIF, EXIF_TAG_PIXEL_X_DIMENSION, width);
     return true;
 }