From 25f0dc440d6c9239a873e6d1fc98b0d8e3eb7c7f Mon Sep 17 00:00:00 2001 From: John Reck Date: Mon, 25 Jan 2016 10:21:54 -0800 Subject: Validate Region.orSelf arguments Bug: 26611248 libui.so has int overflow sanitization enable, so validate that we have "reasonable" looking floats before trying to orSelf the Region. Change-Id: I135ef7be82e7abaa9aa569224c2799612847cd03 --- libs/hwui/BakedOpRenderer.cpp | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) (limited to 'libs/hwui/BakedOpRenderer.cpp') diff --git a/libs/hwui/BakedOpRenderer.cpp b/libs/hwui/BakedOpRenderer.cpp index e65746eea98a..a808b886a90d 100644 --- a/libs/hwui/BakedOpRenderer.cpp +++ b/libs/hwui/BakedOpRenderer.cpp @@ -331,9 +331,28 @@ void BakedOpRenderer::renderFunctor(const FunctorOp& op, const BakedOpState& sta mRenderState.invokeFunctor(op.functor, DrawGlInfo::kModeDraw, &info); } +#define VALIDATE_RECT_ARG(rect, arg) \ + ((isnanf(rect.arg) || rect.arg < -10000 || rect.arg > 10000) ? (\ + ALOGW("suspicious " #rect "." #arg "! %f", rect.arg),\ + false) : true) + +#define VALIDATE_RECT(rect) \ + VALIDATE_RECT_ARG(rect, bottom) & \ + VALIDATE_RECT_ARG(rect, left) & \ + VALIDATE_RECT_ARG(rect, top) & \ + VALIDATE_RECT_ARG(rect, right) + void BakedOpRenderer::dirtyRenderTarget(const Rect& uiDirty) { if (mRenderTarget.offscreenBuffer) { - android::Rect dirty(uiDirty.left, uiDirty.top, uiDirty.right, uiDirty.bottom); + bool valid = VALIDATE_RECT(uiDirty); + android::Rect dirty; + if (valid) { + dirty = android::Rect(uiDirty.left, uiDirty.top, uiDirty.right, uiDirty.bottom); + } else { + dirty = android::Rect(0, 0, + mRenderTarget.offscreenBuffer->viewportWidth, + mRenderTarget.offscreenBuffer->viewportHeight); + } mRenderTarget.offscreenBuffer->region.orSelf(dirty); } } -- cgit v1.2.3-59-g8ed1b