Camera: Fix memory leak if malformed face data is received
The unparceling code for face metadata in API1 dynamically allocates
a camera_metadata structure, and a recent fix forgot to delete that
structure in an error path.
Fix this by making the metadata structure statically allocated; it's
tiny anyway.
Test: atest CtsCameraTestCases
Bug: 155512103
Change-Id: I9b81cdb3ab47c7b6c94c6ed65213ddafef529dc9
diff --git a/camera/ICameraClient.cpp b/camera/ICameraClient.cpp
index 487b8b0..c02c81b 100644
--- a/camera/ICameraClient.cpp
+++ b/camera/ICameraClient.cpp
@@ -139,20 +139,18 @@
CHECK_INTERFACE(ICameraClient, data, reply);
int32_t msgType = data.readInt32();
sp<IMemory> imageData = interface_cast<IMemory>(data.readStrongBinder());
- camera_frame_metadata_t *metadata = NULL;
+ camera_frame_metadata_t metadata;
if (data.dataAvail() > 0) {
- metadata = new camera_frame_metadata_t;
- metadata->number_of_faces = data.readInt32();
- if (metadata->number_of_faces <= 0 ||
- metadata->number_of_faces > (int32_t)(INT32_MAX / sizeof(camera_face_t))) {
- ALOGE("%s: Too large face count: %d", __FUNCTION__, metadata->number_of_faces);
+ metadata.number_of_faces = data.readInt32();
+ if (metadata.number_of_faces <= 0 ||
+ metadata.number_of_faces > (int32_t)(INT32_MAX / sizeof(camera_face_t))) {
+ ALOGE("%s: Too large face count: %d", __FUNCTION__, metadata.number_of_faces);
return BAD_VALUE;
}
- metadata->faces = (camera_face_t *) data.readInplace(
- sizeof(camera_face_t) * metadata->number_of_faces);
+ metadata.faces = (camera_face_t *) data.readInplace(
+ sizeof(camera_face_t) * metadata.number_of_faces);
}
- dataCallback(msgType, imageData, metadata);
- if (metadata) delete metadata;
+ dataCallback(msgType, imageData, &metadata);
return NO_ERROR;
} break;
case DATA_CALLBACK_TIMESTAMP: {