summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
author TreeHugger Robot <treehugger-gerrit@google.com> 2020-03-05 00:30:48 +0000
committer Android (Google) Code Review <android-gerrit@google.com> 2020-03-05 00:30:48 +0000
commit29e122b35c30c811943453cfb718bf839a737f22 (patch)
tree7ed076a6fbff49d4fbabfe4cba675d8435f3ff19
parentabb891a722ddbcb82f579d00e4f95c54b1bd0c13 (diff)
parent0a52509e8cdc6da93daab9c34fdbb63232fa8adf (diff)
Merge "ISurfaceComposer: boundary check input on CAPTURE_LAYERS" into rvc-dev
Diffstat
-rw-r--r--libs/gui/ISurfaceComposer.cpp3
-rw-r--r--libs/gui/include/gui/ISurfaceComposer.h2
-rw-r--r--services/surfaceflinger/SurfaceFlinger.cpp6
-rw-r--r--services/surfaceflinger/SurfaceFlinger.h3
4 files changed, 9 insertions, 5 deletions
diff --git a/libs/gui/ISurfaceComposer.cpp b/libs/gui/ISurfaceComposer.cpp
index ce41eaba1d..04c21a9e1d 100644
--- a/libs/gui/ISurfaceComposer.cpp
+++ b/libs/gui/ISurfaceComposer.cpp
@@ -1281,6 +1281,9 @@ status_t BnSurfaceComposer::onTransact(
std::unordered_set<sp<IBinder>, SpHash<IBinder>> excludeHandles;
int numExcludeHandles = data.readInt32();
+ if (numExcludeHandles >= static_cast<int>(MAX_LAYERS)) {
+ return BAD_VALUE;
+ }
excludeHandles.reserve(numExcludeHandles);
for (int i = 0; i < numExcludeHandles; i++) {
excludeHandles.emplace(data.readStrongBinder());
diff --git a/libs/gui/include/gui/ISurfaceComposer.h b/libs/gui/include/gui/ISurfaceComposer.h
index 0659f0de06..09487eab8b 100644
--- a/libs/gui/include/gui/ISurfaceComposer.h
+++ b/libs/gui/include/gui/ISurfaceComposer.h
@@ -76,6 +76,8 @@ class ISurfaceComposer: public IInterface {
public:
DECLARE_META_INTERFACE(SurfaceComposer)
+ static constexpr size_t MAX_LAYERS = 4096;
+
// flags for setTransactionState()
enum {
eSynchronous = 0x01,
diff --git a/services/surfaceflinger/SurfaceFlinger.cpp b/services/surfaceflinger/SurfaceFlinger.cpp
index 597e4d3ef2..163a1c743b 100644
--- a/services/surfaceflinger/SurfaceFlinger.cpp
+++ b/services/surfaceflinger/SurfaceFlinger.cpp
@@ -367,7 +367,7 @@ SurfaceFlinger::SurfaceFlinger(Factory& factory) : SurfaceFlinger(factory, SkipI
property_get("ro.sf.blurs_are_expensive", value, "0");
mBlursAreExpensive = atoi(value);
- const size_t defaultListSize = MAX_LAYERS;
+ const size_t defaultListSize = ISurfaceComposer::MAX_LAYERS;
auto listSize = property_get_int32("debug.sf.max_igbp_list_size", int32_t(defaultListSize));
mMaxGraphicBufferProducerListSize = (listSize > 0) ? size_t(listSize) : defaultListSize;
@@ -3068,9 +3068,9 @@ status_t SurfaceFlinger::addClientLayer(const sp<Client>& client, const sp<IBind
parent = parentLayer;
}
- if (mNumLayers >= MAX_LAYERS) {
+ if (mNumLayers >= ISurfaceComposer::MAX_LAYERS) {
ALOGE("AddClientLayer failed, mNumLayers (%zu) >= MAX_LAYERS (%zu)", mNumLayers.load(),
- MAX_LAYERS);
+ ISurfaceComposer::MAX_LAYERS);
return NO_MEMORY;
}
diff --git a/services/surfaceflinger/SurfaceFlinger.h b/services/surfaceflinger/SurfaceFlinger.h
index 83f01319d3..e7f9930392 100644
--- a/services/surfaceflinger/SurfaceFlinger.h
+++ b/services/surfaceflinger/SurfaceFlinger.h
@@ -351,7 +351,6 @@ private:
// every half hour.
enum { LOG_FRAME_STATS_PERIOD = 30*60*60 };
- static const size_t MAX_LAYERS = 4096;
static const int MAX_TRACING_MEMORY = 100 * 1024 * 1024; // 100MB
protected:
@@ -976,7 +975,7 @@ private:
// Can't be unordered_set because wp<> isn't hashable
std::set<wp<IBinder>> mGraphicBufferProducerList;
- size_t mMaxGraphicBufferProducerListSize = MAX_LAYERS;
+ size_t mMaxGraphicBufferProducerListSize = ISurfaceComposer::MAX_LAYERS;
// protected by mStateLock (but we could use another lock)
bool mLayersRemoved = false;
generated by cgit v1.2.3-59-g8ed1b (git 2.39.0) at 2025-10-24 14:05:25 +0000