summaryrefslogtreecommitdiffstats
path: root/graphics/java
diff options
context:
space:
mode:
authorJohn Reck <jreck@google.com>2015-01-23 10:57:15 -0800
committerJohn Reck <jreck@google.com>2015-01-23 11:01:05 -0800
commit4018eb376383a9bbe2aa75a95cc6917ca72aa0b7 (patch)
treebec98fd86e140c4d0658883e8846ed146b7e4589 /graphics/java
parentb74155cf01f959fc9b7909de5a22806ad519f7c9 (diff)
downloadframeworks_base-4018eb376383a9bbe2aa75a95cc6917ca72aa0b7.zip
frameworks_base-4018eb376383a9bbe2aa75a95cc6917ca72aa0b7.tar.gz
frameworks_base-4018eb376383a9bbe2aa75a95cc6917ca72aa0b7.tar.bz2
Prevent memory corruption from use-after-free
Bug: 19035637 If an app tries to call recycle() on a Bitmap that has already been finalized it will result in use-after-frees. This is bad. Avoid this by setting the pointer to 0 and checking for this Change-Id: I12d73703a0f95b05fe4c2fd8e9c01b6a3f2f023b
Diffstat (limited to 'graphics/java')
-rw-r--r--graphics/java/android/graphics/Bitmap.java5
1 files changed, 3 insertions, 2 deletions
diff --git a/graphics/java/android/graphics/Bitmap.java b/graphics/java/android/graphics/Bitmap.java
index 3f79c2d..72f6118 100644
--- a/graphics/java/android/graphics/Bitmap.java
+++ b/graphics/java/android/graphics/Bitmap.java
@@ -304,7 +304,7 @@ public final class Bitmap implements Parcelable {
* there are no more references to this bitmap.
*/
public void recycle() {
- if (!mRecycled) {
+ if (!mRecycled && mFinalizer.mNativeBitmap != 0) {
if (nativeRecycle(mNativeBitmap)) {
// return value indicates whether native pixel object was actually recycled.
// false indicates that it is still in use at the native level and these
@@ -1571,7 +1571,7 @@ public final class Bitmap implements Parcelable {
}
private static class BitmapFinalizer {
- private final long mNativeBitmap;
+ private long mNativeBitmap;
// Native memory allocated for the duration of the Bitmap,
// if pixel data allocated into native memory, instead of java byte[]
@@ -1597,6 +1597,7 @@ public final class Bitmap implements Parcelable {
VMRuntime.getRuntime().registerNativeFree(mNativeAllocationByteCount);
}
nativeDestructor(mNativeBitmap);
+ mNativeBitmap = 0;
}
}
}