diff options
| author | android-build-team Robot <android-build-team-robot@google.com> | 2017-05-25 17:52:11 +0000 |
|---|---|---|
| committer | android-build-team Robot <android-build-team-robot@google.com> | 2017-05-25 17:52:11 +0000 |
| commit | 24257b4e5b4ab72e7397a4546f9b5a8f03dd340d (patch) | |
| tree | be4dc7fdac50053705b723fc1d6fe8a62dffbe94 | |
| parent | e3fd69ce6c4b97cd835d20d96fa3d1cc34f1d088 (diff) | |
| parent | 32a0a438f5f647d47c8b0fce3ccb0be4ace005af (diff) | |
| download | native-24257b4e5b4ab72e7397a4546f9b5a8f03dd340d.tar.gz | |
Merge cherrypicks of [2315763, 2315554, 2315573, 2315765, 2315712, 2315595, 2315713, 2315746, 2315786, 2315799, 2315576, 2315800, 2315673, 2315821, 2315578, 2315597, 2315633, 2315598, 2315769, 2315716, 2315634, 2315823, 2315801, 2315636, 2315717, 2315772, 2315753, 2315803, 2315638, 2315840, 2315841, 2315842, 2315824, 2315791, 2315879, 2315804, 2315827, 2315863, 2315792, 2315864, 2315755, 2315882, 2315756, 2315828, 2315793, 2315865, 2315883, 2315899, 2315885, 2315796, 2315869, 2315923, 2315924, 2315943] into nyc-mr1-security-e-releaseandroid-7.1.1_r45
Change-Id: I17120d06aa94efb8e4d412e9c29359ce48c30630
| -rw-r--r-- | libs/gui/IGraphicBufferProducer.cpp | 9 | ||||
| -rw-r--r-- | libs/gui/Surface.cpp | 6 | ||||
| -rw-r--r-- | libs/ui/Fence.cpp | 2 |
3 files changed, 16 insertions, 1 deletions
diff --git a/libs/gui/IGraphicBufferProducer.cpp b/libs/gui/IGraphicBufferProducer.cpp index f4ba3bf15f..1a08130c44 100644 --- a/libs/gui/IGraphicBufferProducer.cpp +++ b/libs/gui/IGraphicBufferProducer.cpp @@ -26,6 +26,7 @@ #include <binder/Parcel.h> #include <binder/IInterface.h> +#include <gui/BufferQueueDefs.h> #include <gui/IGraphicBufferProducer.h> #include <gui/IProducerListener.h> @@ -203,8 +204,16 @@ public: if (result != NO_ERROR) { return result; } + *slot = reply.readInt32(); result = reply.readInt32(); + if (result == NO_ERROR && + (*slot < 0 || *slot >= BufferQueueDefs::NUM_BUFFER_SLOTS)) { + ALOGE("attachBuffer returned invalid slot %d", *slot); + android_errorWriteLog(0x534e4554, "37478824"); + return UNKNOWN_ERROR; + } + return result; } diff --git a/libs/gui/Surface.cpp b/libs/gui/Surface.cpp index 08382908ba..5a2ca8d7ac 100644 --- a/libs/gui/Surface.cpp +++ b/libs/gui/Surface.cpp @@ -306,6 +306,12 @@ int Surface::dequeueBuffer(android_native_buffer_t** buffer, int* fenceFd) { return result; } + if (buf < 0 || buf >= NUM_BUFFER_SLOTS) { + ALOGE("dequeueBuffer: IGraphicBufferProducer returned invalid slot number %d", buf); + android_errorWriteLog(0x534e4554, "36991414"); // SafetyNet logging + return FAILED_TRANSACTION; + } + Mutex::Autolock lock(mMutex); sp<GraphicBuffer>& gbuf(mSlots[buf].buffer); diff --git a/libs/ui/Fence.cpp b/libs/ui/Fence.cpp index bf24ffb7e0..1b2f34dfa8 100644 --- a/libs/ui/Fence.cpp +++ b/libs/ui/Fence.cpp @@ -157,7 +157,7 @@ status_t Fence::unflatten(void const*& buffer, size_t& size, int const*& fds, si return INVALID_OPERATION; } - if (size < 1) { + if (size < getFlattenedSize()) { return NO_MEMORY; } |