Prevent MediaPlayerService::Client's use-after-free
Test: make cts -j123 && cts-tradefed run cts-dev -m \
CtsMediaTestCases --compatibility:module-arg \
CtsMediaTestCases:include-annotation:\
android.platform.test.annotations.RequiresDevice
Bug: 70546581
Merged-In: Ia142a7735c6685eb67b2c00917c0ed5ea7e0da9e
Change-Id: Ia142a7735c6685eb67b2c00917c0ed5ea7e0da9e
(cherry picked from commit d27ad6bae3215db0ed174f5f036339c9515fbba7)
diff --git a/media/libmediaplayerservice/MediaPlayerService.cpp b/media/libmediaplayerservice/MediaPlayerService.cpp
index 11f29cb..a963424 100644
--- a/media/libmediaplayerservice/MediaPlayerService.cpp
+++ b/media/libmediaplayerservice/MediaPlayerService.cpp
@@ -1430,12 +1430,13 @@
}
void MediaPlayerService::Client::notify(
- void* cookie, int msg, int ext1, int ext2, const Parcel *obj)
+ const wp<IMediaPlayer> &listener, int msg, int ext1, int ext2, const Parcel *obj)
{
- Client* client = static_cast<Client*>(cookie);
- if (client == NULL) {
+ sp<IMediaPlayer> spListener = listener.promote();
+ if (spListener == NULL) {
return;
}
+ Client* client = static_cast<Client*>(spListener.get());
sp<IMediaPlayerClient> c;
sp<Client> nextClient;
@@ -1483,7 +1484,7 @@
}
if (c != NULL) {
- ALOGV("[%d] notify (%p, %d, %d, %d)", client->mConnId, cookie, msg, ext1, ext2);
+ ALOGV("[%d] notify (%p, %d, %d, %d)", client->mConnId, spListener.get(), msg, ext1, ext2);
c->notify(msg, ext1, ext2, obj);
}
}
@@ -1541,7 +1542,7 @@
#if CALLBACK_ANTAGONIZER
const int Antagonizer::interval = 10000; // 10 msecs
-Antagonizer::Antagonizer(notify_callback_f cb, void* client) :
+Antagonizer::Antagonizer(notify_callback_f cb, const wp<IMediaPlayer> &client) :
mExit(false), mActive(false), mClient(client), mCb(cb)
{
createThread(callbackThread, this);