From b2aada6e8481575304f50594d715b8eeac1b54be Mon Sep 17 00:00:00 2001 From: Colin Cross Date: Tue, 22 Jul 2014 15:55:08 -0700 Subject: [PATCH 1/2] crash if getNativeBuffer() called on NULL GraphicBuffer If getNativeBuffer() is called on a NULL GraphicBuffer the static_cast of this from GraphicBuffer* to ANativeWindowBuffer* will return a small pointer like (ANativeWindowBuffer*)0x10. This value can propagate past NULL checks until it causes a crash far away from the original NULL pointer. Crash immediately instead. Change-Id: Id614b9eb1484108b3c3c733545309844c4b87532 --- libs/ui/GraphicBuffer.cpp | 1 + 1 file changed, 1 insertion(+) diff --git a/libs/ui/GraphicBuffer.cpp b/libs/ui/GraphicBuffer.cpp index e21dc53ca..9b0bd601c 100644 --- a/libs/ui/GraphicBuffer.cpp +++ b/libs/ui/GraphicBuffer.cpp @@ -126,6 +126,7 @@ void GraphicBuffer::dumpAllocationsToSystemLog() ANativeWindowBuffer* GraphicBuffer::getNativeBuffer() const { + LOG_ALWAYS_FATAL_IF(this == NULL, "getNativeBuffer() called on NULL GraphicBuffer"); return static_cast( const_cast(this)); } From 86262fcdb4e55bd8e07367d39ed4ff6cba043c3e Mon Sep 17 00:00:00 2001 From: Michael Lentine Date: Fri, 8 Aug 2014 10:30:44 -0700 Subject: [PATCH 2/2] Revert "Modify EGL to disconnect the window when the surface gets destroyed." This reverts commit 843cbb241da60ada234918a30cfe9a01a1e04187. --- libs/gui/BufferQueueProducer.cpp | 4 ++-- opengl/libs/EGL/eglApi.cpp | 9 --------- 2 files changed, 2 insertions(+), 11 deletions(-) diff --git a/libs/gui/BufferQueueProducer.cpp b/libs/gui/BufferQueueProducer.cpp index cbca3acd2..a53775fa7 100644 --- a/libs/gui/BufferQueueProducer.cpp +++ b/libs/gui/BufferQueueProducer.cpp @@ -830,8 +830,8 @@ status_t BufferQueueProducer::disconnect(int api) { mCore->mSidebandStream.clear(); mCore->mDequeueCondition.broadcast(); listener = mCore->mConsumerListener; - } else if (mCore->mConnectedApi != BufferQueueCore::NO_CONNECTED_API) { - BQ_LOGE("disconnect(P): still connected to another API " + } else { + BQ_LOGE("disconnect(P): connected to another API " "(cur=%d req=%d)", mCore->mConnectedApi, api); status = BAD_VALUE; } diff --git a/opengl/libs/EGL/eglApi.cpp b/opengl/libs/EGL/eglApi.cpp index 99c01b7e9..6e77e457b 100644 --- a/opengl/libs/EGL/eglApi.cpp +++ b/opengl/libs/EGL/eglApi.cpp @@ -572,15 +572,6 @@ EGLBoolean eglDestroySurface(EGLDisplay dpy, EGLSurface surface) return setError(EGL_BAD_SURFACE, EGL_FALSE); egl_surface_t * const s = get_surface(surface); - ANativeWindow* window = s->win.get(); - if (window) { - int result = native_window_api_disconnect(window, NATIVE_WINDOW_API_EGL); - if (result != OK) { - ALOGE("eglDestroySurface: native_window_api_disconnect (win=%p) " - "failed (%#x)", - window, result); - } - } EGLBoolean result = s->cnx->egl.eglDestroySurface(dp->disp.dpy, s->surface); if (result == EGL_TRUE) { _s.terminate();