Gitiles
Code Review Sign In
gerrit.omnirom.org / android_frameworks_native / 33da9468354b9b530712d4157298a8e0479cf2e5^! / . / services / surfaceflinger / Layer.cpp
commit33da9468354b9b530712d4157298a8e0479cf2e5[log] [tgz]
authorPrabir Pradhan <prabirmsp@google.com>Tue Jun 14 14:55:57 2022 +0000
committerPrabir Pradhan <prabirmsp@google.com>Tue Jun 14 16:27:24 2022 +0000
tree4ac2655af45af516376ec539e291ab6b521b7546
parent8f4e41d679d67436ee3868cab8785a35b3cc613f [diff] [blame]
Layer: Guard against Region offset overflows

When applying a transform to a Region, if the Region is translated to
bounds that overlow the int32_t type, the process crashes.

For now, we guard against process crashes by manually applying the
offset to the Region and checking for overflows. If we detect an
overflow in one of the Rects in a Region, we remove the Rect from the
resulting Region.

Bug: 234247210
Test: atest libgui_test
Change-Id: Icd47539accae2e59a7dbd9c9621201bd040fc402

diff --git a/services/surfaceflinger/Layer.cpp b/services/surfaceflinger/Layer.cpp
index 6ed4a94..be16942 100644
--- a/services/surfaceflinger/Layer.cpp
+++ b/services/surfaceflinger/Layer.cpp

@@ -2194,6 +2194,37 @@
     return getCroppedBufferSize(getDrawingState());
 }
 
+// Applies the given transform to the region, while protecting against overflows caused by any
+// offsets. If applying the offset in the transform to any of the Rects in the region would result
+// in an overflow, they are not added to the output Region.
+static Region transformTouchableRegionSafely(const ui::Transform& t, const Region& r,
+                                             const std::string& debugWindowName) {
+    // Round the translation using the same rounding strategy used by ui::Transform.
+    const auto tx = static_cast<int32_t>(t.tx() + 0.5);
+    const auto ty = static_cast<int32_t>(t.ty() + 0.5);
+
+    ui::Transform transformWithoutOffset = t;
+    transformWithoutOffset.set(0.f, 0.f);
+
+    const Region transformed = transformWithoutOffset.transform(r);
+
+    // Apply the translation to each of the Rects in the region while discarding any that overflow.
+    Region ret;
+    for (const auto& rect : transformed) {
+        Rect newRect;
+        if (__builtin_add_overflow(rect.left, tx, &newRect.left) ||
+            __builtin_add_overflow(rect.top, ty, &newRect.top) ||
+            __builtin_add_overflow(rect.right, tx, &newRect.right) ||
+            __builtin_add_overflow(rect.bottom, ty, &newRect.bottom)) {
+            ALOGE("Applying transform to touchable region of window '%s' resulted in an overflow.",
+                  debugWindowName.c_str());
+            continue;
+        }
+        ret.orSelf(newRect);
+    }
+    return ret;
+}
+
 void Layer::fillInputFrameInfo(WindowInfo& info, const ui::Transform& screenToDisplay) {
     Rect tmpBounds = getInputBounds();
     if (!tmpBounds.isValid()) {
@@ -2256,7 +2287,8 @@
     info.transform = inputToDisplay.inverse();
 
     // The touchable region is specified in the input coordinate space. Change it to display space.
-    info.touchableRegion = inputToDisplay.transform(info.touchableRegion);
+    info.touchableRegion =
+            transformTouchableRegionSafely(inputToDisplay, info.touchableRegion, mName);
 }
 
 void Layer::fillTouchOcclusionMode(WindowInfo& info) {