From b393a2d9a93e4af4191e8cbf80a4cc4e9c201940 Mon Sep 17 00:00:00 2001
From: Eino-Ville Talvala <etalvala@google.com>
Date: Tue, 28 Apr 2020 18:08:50 -0700
Subject: [PATCH] Camera: Validate face count in received metadata

Ensure the count can't cause an overflow in bytes to be read.

Test: atest CtsCameraTestCases; also add bad face count data from camera
  service and manually verify the error logs appear when running
  android.hardware.cts.CameraTest#testFaceDetection.
Bug: 150156131
Change-Id: Ic78ec0ccf67ef8665f80f69aabbb1ae71dd609cd
---
 camera/ICameraClient.cpp | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/camera/ICameraClient.cpp b/camera/ICameraClient.cpp
index 8620f36022..487b8b01ce 100644
--- a/camera/ICameraClient.cpp
+++ b/camera/ICameraClient.cpp
@@ -143,6 +143,11 @@ status_t BnCameraClient::onTransact(
             if (data.dataAvail() > 0) {
                 metadata = new camera_frame_metadata_t;
                 metadata->number_of_faces = data.readInt32();
+                if (metadata->number_of_faces <= 0 ||
+                        metadata->number_of_faces > (int32_t)(INT32_MAX / sizeof(camera_face_t))) {
+                    ALOGE("%s: Too large face count: %d", __FUNCTION__, metadata->number_of_faces);
+                    return BAD_VALUE;
+                }
                 metadata->faces = (camera_face_t *) data.readInplace(
                         sizeof(camera_face_t) * metadata->number_of_faces);
             }