diff options
| -rw-r--r-- | libs/binder/IPCThreadState.cpp | 12 | ||||
| -rw-r--r-- | libs/gui/IGraphicBufferConsumer.cpp | 2 | ||||
| -rw-r--r-- | libs/gui/IGraphicBufferProducer.cpp | 1 |
3 files changed, 12 insertions, 3 deletions
diff --git a/libs/binder/IPCThreadState.cpp b/libs/binder/IPCThreadState.cpp index ef88181..af18e11 100644 --- a/libs/binder/IPCThreadState.cpp +++ b/libs/binder/IPCThreadState.cpp @@ -1083,8 +1083,16 @@ status_t IPCThreadState::executeCommand(int32_t cmd) << reinterpret_cast<const size_t*>(tr.data.ptr.offsets) << endl; } if (tr.target.ptr) { - sp<BBinder> b((BBinder*)tr.cookie); - error = b->transact(tr.code, buffer, &reply, tr.flags); + // We only have a weak reference on the target object, so we must first try to + // safely acquire a strong reference before doing anything else with it. + if (reinterpret_cast<RefBase::weakref_type*>( + tr.target.ptr)->attemptIncStrong(this)) { + error = reinterpret_cast<BBinder*>(tr.cookie)->transact(tr.code, buffer, + &reply, tr.flags); + reinterpret_cast<BBinder*>(tr.cookie)->decStrong(this); + } else { + error = UNKNOWN_TRANSACTION; + } } else { error = the_context_object->transact(tr.code, buffer, &reply, tr.flags); diff --git a/libs/gui/IGraphicBufferConsumer.cpp b/libs/gui/IGraphicBufferConsumer.cpp index c4660ba..7ae82e0 100644 --- a/libs/gui/IGraphicBufferConsumer.cpp +++ b/libs/gui/IGraphicBufferConsumer.cpp @@ -349,7 +349,7 @@ status_t BnGraphicBufferConsumer::onTransact( } case GET_RELEASED_BUFFERS: { CHECK_INTERFACE(IGraphicBufferConsumer, data, reply); - uint64_t slotMask; + uint64_t slotMask = 0; status_t result = getReleasedBuffers(&slotMask); reply->writeInt64(static_cast<int64_t>(slotMask)); reply->writeInt32(result); diff --git a/libs/gui/IGraphicBufferProducer.cpp b/libs/gui/IGraphicBufferProducer.cpp index 1099c84..c3c6235 100644 --- a/libs/gui/IGraphicBufferProducer.cpp +++ b/libs/gui/IGraphicBufferProducer.cpp @@ -435,6 +435,7 @@ status_t BnGraphicBufferProducer::onTransact( QueueBufferOutput* const output = reinterpret_cast<QueueBufferOutput *>( reply->writeInplace(sizeof(QueueBufferOutput))); + memset(output, 0, sizeof(QueueBufferOutput)); status_t res = connect(listener, api, producerControlledByApp, output); reply->writeInt32(res); return NO_ERROR; |