diff options
author | John Reck <jreck@google.com> | 2015-01-23 10:57:15 -0800 |
---|---|---|
committer | John Reck <jreck@google.com> | 2015-01-23 11:01:05 -0800 |
commit | 4018eb376383a9bbe2aa75a95cc6917ca72aa0b7 (patch) | |
tree | bec98fd86e140c4d0658883e8846ed146b7e4589 /graphics/java | |
parent | b74155cf01f959fc9b7909de5a22806ad519f7c9 (diff) | |
download | frameworks_base-4018eb376383a9bbe2aa75a95cc6917ca72aa0b7.zip frameworks_base-4018eb376383a9bbe2aa75a95cc6917ca72aa0b7.tar.gz frameworks_base-4018eb376383a9bbe2aa75a95cc6917ca72aa0b7.tar.bz2 |
Prevent memory corruption from use-after-free
Bug: 19035637
If an app tries to call recycle() on a Bitmap that has
already been finalized it will result in use-after-frees. This is
bad. Avoid this by setting the pointer to 0 and checking for this
Change-Id: I12d73703a0f95b05fe4c2fd8e9c01b6a3f2f023b
Diffstat (limited to 'graphics/java')
-rw-r--r-- | graphics/java/android/graphics/Bitmap.java | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/graphics/java/android/graphics/Bitmap.java b/graphics/java/android/graphics/Bitmap.java index 3f79c2d..72f6118 100644 --- a/graphics/java/android/graphics/Bitmap.java +++ b/graphics/java/android/graphics/Bitmap.java @@ -304,7 +304,7 @@ public final class Bitmap implements Parcelable { * there are no more references to this bitmap. */ public void recycle() { - if (!mRecycled) { + if (!mRecycled && mFinalizer.mNativeBitmap != 0) { if (nativeRecycle(mNativeBitmap)) { // return value indicates whether native pixel object was actually recycled. // false indicates that it is still in use at the native level and these @@ -1571,7 +1571,7 @@ public final class Bitmap implements Parcelable { } private static class BitmapFinalizer { - private final long mNativeBitmap; + private long mNativeBitmap; // Native memory allocated for the duration of the Bitmap, // if pixel data allocated into native memory, instead of java byte[] @@ -1597,6 +1597,7 @@ public final class Bitmap implements Parcelable { VMRuntime.getRuntime().registerNativeFree(mNativeAllocationByteCount); } nativeDestructor(mNativeBitmap); + mNativeBitmap = 0; } } } |