diff options
author | Baldev Sahu <quic_c_bsahu@quicinc.com> | 2022-11-11 15:03:25 +0530 |
---|---|---|
committer | Guus Sliepen <gsliepen@google.com> | 2023-04-04 12:55:00 +0000 |
commit | af82c80bdaf4da86832d31a9c1ca76fe3c123b12 (patch) | |
tree | 64dc049b9f04a72347965f3a2285299d6d9169e9 | |
parent | 58137990bb14cdac7b0e368bc8e3b92081dc2d2a (diff) | |
download | display-android13-qpr3-c-s5-release.tar.gz |
Gralloc: Use handle reserved size while importing bufferandroid-13.0.0_r82android-13.0.0_r81android-13.0.0_r80android-13.0.0_r74android-13.0.0_r73android-13.0.0_r72android-13.0.0_r66android-13.0.0_r65android-13.0.0_r64android-13.0.0_r60android-13.0.0_r59android-13.0.0_r58android13-qpr3-c-s8-releaseandroid13-qpr3-c-s7-releaseandroid13-qpr3-c-s6-releaseandroid13-qpr3-c-s5-releaseandroid13-qpr3-c-s4-releaseandroid13-qpr3-c-s3-releaseandroid13-qpr3-c-s2-releaseandroid13-qpr3-c-s12-releaseandroid13-qpr3-c-s11-releaseandroid13-qpr3-c-s10-releaseandroid13-qpr3-c-s1-release
Instead of metadata reserved_size, use handle reserved size while
import as metadata reserved size can be modified by client which
can cause memory corruption.
Bug: 253297595
Change-Id: Iedbb9eea589b56e81e044603c958f0b2c4cb3720
Signed-off-by: Guus Sliepen <gsliepen@google.com>
-rw-r--r-- | gralloc/gr_buf_mgr.cpp | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/gralloc/gr_buf_mgr.cpp b/gralloc/gr_buf_mgr.cpp index 72b72fb7..61249a98 100644 --- a/gralloc/gr_buf_mgr.cpp +++ b/gralloc/gr_buf_mgr.cpp @@ -806,9 +806,8 @@ void BufferManager::RegisterHandleLocked(const private_handle_t *hnd, int ion_ha auto buffer = std::make_shared<Buffer>(hnd, ion_handle, ion_handle_meta); if (hnd->base_metadata) { - auto metadata = reinterpret_cast<MetaData_t *>(hnd->base_metadata); #ifdef METADATA_V2 - buffer->reserved_size = metadata->reservedSize; + buffer->reserved_size = hnd->reserved_size; if (buffer->reserved_size > 0) { buffer->reserved_region_ptr = reinterpret_cast<void *>(hnd->base_metadata + sizeof(MetaData_t)); |