Gitiles
Code Review Sign In
gerrit.omnirom.org / android_frameworks_native / 4293e9d75d5b0d033126f529ab61dd1f4a8d8420^! / . / services / surfaceflinger / SurfaceFlinger.h
commit4293e9d75d5b0d033126f529ab61dd1f4a8d8420[log] [tgz]
authorRobert Carr <racarr@google.com>Tue Apr 02 16:31:39 2019 -0700
committerRobert Carr <racarr@google.com>Fri Apr 05 09:21:29 2019 -0700
treede561d03f17b200afad30b6b8d5058d595058566
parent866455f07c21964af5c195709bc2081121965200 [diff] [blame]
SurfaceFlinger: Validate layers before casting.

Reinterpret casting random IBinder = no-fun. I first attempted
to use inheritance of "getInterfaceDescriptor" in Layer::Handle but
departing from "standard-layout" (e.g. using virtual methods) means that
downcasting with static/reinterpret_cast is no longer valid. Instead I opted
for the pattern the system-server uses of maintaing a map.

Bug: 129768960
Test: InvalidHandles_test.cpp
Change-Id: Ica8d08a2daf5e80d187e818adbff0c7901db69f7

diff --git a/services/surfaceflinger/SurfaceFlinger.h b/services/surfaceflinger/SurfaceFlinger.h
index 7e8e836..c0c0880 100644
--- a/services/surfaceflinger/SurfaceFlinger.h
+++ b/services/surfaceflinger/SurfaceFlinger.h

@@ -313,6 +313,8 @@
         return mTransactionCompletedThread;
     }
 
+    sp<Layer> fromHandle(const sp<IBinder>& handle) REQUIRES(mStateLock);
+
 private:
     friend class BufferLayer;
     friend class BufferQueueLayer;
@@ -587,9 +589,10 @@
     /* ------------------------------------------------------------------------
      * Layer management
      */
-    status_t createLayer(const String8& name, const sp<Client>& client, uint32_t w, uint32_t h,
-                         PixelFormat format, uint32_t flags, LayerMetadata metadata,
-                         sp<IBinder>* handle, sp<IGraphicBufferProducer>* gbp, sp<Layer>* parent);
+    status_t createLayer(
+            const String8& name, const sp<Client>& client, uint32_t w, uint32_t h,
+            PixelFormat format, uint32_t flags, LayerMetadata metadata,
+            sp<IBinder>* handle, sp<IGraphicBufferProducer>* gbp, const sp<IBinder>& parentHandle);
 
     status_t createBufferQueueLayer(const sp<Client>& client, const String8& name, uint32_t w,
                                     uint32_t h, uint32_t flags, LayerMetadata metadata,
@@ -621,7 +624,7 @@
             const sp<IBinder>& handle,
             const sp<IGraphicBufferProducer>& gbc,
             const sp<Layer>& lbc,
-            const sp<Layer>& parent,
+            const sp<IBinder>& parentHandle,
             bool addToCurrentState);
 
     // Traverse through all the layers and compute and cache its bounds.
@@ -994,6 +997,9 @@
     std::map<wp<IBinder>, sp<DisplayDevice>> mDisplays;
     std::unordered_map<DisplayId, sp<IBinder>> mPhysicalDisplayTokens;
 
+    // protected by mStateLock
+    std::unordered_map<BBinder*, wp<Layer>> mLayersByLocalBinderToken;
+
     // don't use a lock for these, we don't care
     int mDebugRegion = 0;
     bool mDebugDisableHWC = false;