diff options
| author | ywen <ywen@codeaurora.org> | 2015-03-26 19:51:12 +0800 |
|---|---|---|
| committer | Digish Pandya <digishp@codeaurora.org> | 2015-04-10 11:59:52 +0530 |
| commit | aef0445c6f1fbd818b594383217a13571bbd95ad (patch) | |
| tree | a57f207c94d8233a55d6e9262b8b42b9d5c9d88d /libs/ui | |
| parent | a60ff367a4f55ea319625cf500687c5025604f40 (diff) | |
| download | frameworks_native-aef0445c6f1fbd818b594383217a13571bbd95ad.zip frameworks_native-aef0445c6f1fbd818b594383217a13571bbd95ad.tar.gz frameworks_native-aef0445c6f1fbd818b594383217a13571bbd95ad.tar.bz2 | |
Fix a memory corruption issue when vector resize
There is memory corruption in below code
const Rect* prev = &dst[prevIndex];
dst.add(Rect(prev->right, top, right, bottom));
prev points to a memory of vector dst, when dst resize in add()
call, the memory that prev points to will be copy to the new
allocated vector memory and the old memory will become undefined
Avoid pointer in this case, use a local copy instead
Change-Id: I4d95ceedd00c8fb615ac153082ade1b1ce0d0fa8
Diffstat (limited to 'libs/ui')
| -rw-r--r-- | libs/ui/Region.cpp | 35 |
1 files changed, 17 insertions, 18 deletions
diff --git a/libs/ui/Region.cpp b/libs/ui/Region.cpp index 91fa216..53ef193 100644 --- a/libs/ui/Region.cpp +++ b/libs/ui/Region.cpp @@ -130,43 +130,42 @@ static void reverseRectsResolvingJunctions(const Rect* begin, const Rect* end, // prevIndex can't be -1 here because if endLastSpan is set to a // value greater than -1 (allowing the loop to execute), // beginLastSpan (and therefore prevIndex) will also be increased - const Rect* prev = &dst[static_cast<size_t>(prevIndex)]; - + const Rect prev = dst[static_cast<size_t>(prevIndex)]; if (spanDirection == direction_RTL) { // iterating over previous span RTL, quit if it's too far left - if (prev->right <= left) break; + if (prev.right <= left) break; - if (prev->right > left && prev->right < right) { - dst.add(Rect(prev->right, top, right, bottom)); - right = prev->right; + if (prev.right > left && prev.right < right) { + dst.add(Rect(prev.right, top, right, bottom)); + right = prev.right; } - if (prev->left > left && prev->left < right) { - dst.add(Rect(prev->left, top, right, bottom)); - right = prev->left; + if (prev.left > left && prev.left < right) { + dst.add(Rect(prev.left, top, right, bottom)); + right = prev.left; } // if an entry in the previous span is too far right, nothing further left in the // current span will need it - if (prev->left >= right) { + if (prev.left >= right) { beginLastSpan = prevIndex; } } else { // iterating over previous span LTR, quit if it's too far right - if (prev->left >= right) break; + if (prev.left >= right) break; - if (prev->left > left && prev->left < right) { - dst.add(Rect(left, top, prev->left, bottom)); - left = prev->left; + if (prev.left > left && prev.left < right) { + dst.add(Rect(left, top, prev.left, bottom)); + left = prev.left; } - if (prev->right > left && prev->right < right) { - dst.add(Rect(left, top, prev->right, bottom)); - left = prev->right; + if (prev.right > left && prev.right < right) { + dst.add(Rect(left, top, prev.right, bottom)); + left = prev.right; } // if an entry in the previous span is too far left, nothing further right in the // current span will need it - if (prev->right <= left) { + if (prev.right <= left) { beginLastSpan = prevIndex; } } |