Fix UAF error in CameraModule. Bug: 22542551 Change-Id: I2fe5791a6554a8e2f7fd94593d552d8af18257db

commit: eff134a61a5dd081ee578628704a66dca24e0cf7 [log] [tgz]
author: Ruben Brunk <rubenbrunk@google.com> Fri Jul 17 15:22:01 2015 -0700
committer: Ruben Brunk <rubenbrunk@google.com> Fri Jul 17 15:33:46 2015 -0700
tree: f9c20cdd5b2fd292581f50246157d635f81616e4
parent: 4b33e0838fdb1b5e545449add02005916b512c99 [diff] [blame]
diff --git a/services/camera/libcameraservice/common/CameraModule.cpp b/services/camera/libcameraservice/common/CameraModule.cpp
index 1ae01ae..6a4dfe0 100644
--- a/services/camera/libcameraservice/common/CameraModule.cpp
+++ b/services/camera/libcameraservice/common/CameraModule.cpp

@@ -136,9 +136,10 @@
     // Always add a default for the pre-correction active array if the vendor chooses to omit this
     camera_metadata_entry entry = chars.find(ANDROID_SENSOR_INFO_PRE_CORRECTION_ACTIVE_ARRAY_SIZE);
     if (entry.count == 0) {
+        Vector<int32_t> preCorrectionArray;
         entry = chars.find(ANDROID_SENSOR_INFO_ACTIVE_ARRAY_SIZE);
-        chars.update(ANDROID_SENSOR_INFO_PRE_CORRECTION_ACTIVE_ARRAY_SIZE, entry.data.i32,
-                entry.count);
+        preCorrectionArray.appendArray(entry.data.i32, entry.count);
+        chars.update(ANDROID_SENSOR_INFO_PRE_CORRECTION_ACTIVE_ARRAY_SIZE, preCorrectionArray);
     }
 
     return;
commit	eff134a61a5dd081ee578628704a66dca24e0cf7	[log] [tgz]
author	Ruben Brunk <rubenbrunk@google.com>	Fri Jul 17 15:22:01 2015 -0700
committer	Ruben Brunk <rubenbrunk@google.com>	Fri Jul 17 15:33:46 2015 -0700
tree	f9c20cdd5b2fd292581f50246157d635f81616e4
parent	4b33e0838fdb1b5e545449add02005916b512c99 [diff] [blame]