gugelfrei
/
android_frameworks_av
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge "Camera: Fix memory leak if malformed face data is received" into rvc-dev

Browse Source
gugelfrei
TreeHugger Robot 4 years ago committed by Android (Google) Code Review
parent 651d0a5755 3ac6bae6cf
commit fd267eb2f9
1 changed files with 8 additions and 10 deletions
Show Stats Download Patch File Download Diff File

18
camera/ICameraClient.cpp
Unescape View File

@ -139,20 +139,18 @@ status_t BnCameraClient::onTransact(
CHECK_INTERFACE(ICameraClient, data, reply);
int32_t msgType = data.readInt32();
sp<IMemory> imageData = interface_cast<IMemory>(data.readStrongBinder());
camera_frame_metadata_t *metadata = NULL;
camera_frame_metadata_t metadata;
if (data.dataAvail() > 0) {
metadata = new camera_frame_metadata_t;
metadata->number_of_faces = data.readInt32();
if (metadata->number_of_faces <= 0 ||
metadata->number_of_faces > (int32_t)(INT32_MAX / sizeof(camera_face_t))) {
ALOGE("%s: Too large face count: %d", __FUNCTION__, metadata->number_of_faces);
metadata.number_of_faces = data.readInt32();
if (metadata.number_of_faces <= 0 ||
metadata.number_of_faces > (int32_t)(INT32_MAX / sizeof(camera_face_t))) {
ALOGE("%s: Too large face count: %d", __FUNCTION__, metadata.number_of_faces);
return BAD_VALUE;
}
metadata->faces = (camera_face_t *) data.readInplace(
sizeof(camera_face_t) * metadata->number_of_faces);
metadata.faces = (camera_face_t *) data.readInplace(
sizeof(camera_face_t) * metadata.number_of_faces);
}
dataCallback(msgType, imageData, metadata);
if (metadata) delete metadata;
dataCallback(msgType, imageData, &metadata);
return NO_ERROR;
} break;
case DATA_CALLBACK_TIMESTAMP: {

Write Preview
Loading…
Cancel
Save