Gitiles
Code Review Sign In
gerrit.omnirom.org / android_frameworks_native / 4ae43230fa356509917a26a34d411d9c6c7a26b2^2..4ae43230fa356509917a26a34d411d9c6c7a26b2 / .
commit4ae43230fa356509917a26a34d411d9c6c7a26b2[log] [tgz]
authorPawan Wagh <waghpawan@google.com>Tue Sep 13 19:46:11 2022 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Tue Sep 13 19:46:11 2022 +0000
treedfdefa3d018a35c3db7381678cf315d35d0b87c9
parent583954b00a17740d5c9a0d3f29fa7f15b34fbf49 [diff]
parent014a6a6e29c28fea73be7b371a5c4b6142e374fd [diff]
Merge "servicemanager : Adding abort in servicemanager_fuzzer"
diff --git a/libs/binder/IPCThreadState.cpp b/libs/binder/IPCThreadState.cpp
index b50cfb3..bfcf39a 100644
--- a/libs/binder/IPCThreadState.cpp
+++ b/libs/binder/IPCThreadState.cpp

@@ -1318,6 +1318,13 @@
                 LOG_ONEWAY("Sending reply to %d!", mCallingPid);
                 if (error < NO_ERROR) reply.setError(error);
 
+                // b/238777741: clear buffer before we send the reply.
+                // Otherwise, there is a race where the client may
+                // receive the reply and send another transaction
+                // here and the space used by this transaction won't
+                // be freed for the client.
+                buffer.setDataSize(0);
+
                 constexpr uint32_t kForwardReplyFlags = TF_CLEAR_BUF;
                 sendReply(reply, (tr.flags & kForwardReplyFlags));
             } else {

diff --git a/libs/binder/IServiceManager.cpp b/libs/binder/IServiceManager.cpp
index c0a8d74..5db3eef 100644
--- a/libs/binder/IServiceManager.cpp
+++ b/libs/binder/IServiceManager.cpp

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-#define LOG_TAG "ServiceManager"
+#define LOG_TAG "ServiceManagerCppClient"
 
 #include <binder/IServiceManager.h>
 

diff --git a/libs/binder/tests/binderLibTest.cpp b/libs/binder/tests/binderLibTest.cpp
index 5de08bd..6e1c8ac 100644
--- a/libs/binder/tests/binderLibTest.cpp
+++ b/libs/binder/tests/binderLibTest.cpp

@@ -1161,8 +1161,7 @@
 // see ProcessState.cpp BINDER_VM_SIZE = 1MB.
 // This value is not exposed, but some code in the framework relies on being able to use
 // buffers near the cap size.
-// TODO(b/238777741): why do larger values, like 300K fail sometimes
-constexpr size_t kSizeBytesAlmostFull = 100'000;
+constexpr size_t kSizeBytesAlmostFull = 950'000;
 constexpr size_t kSizeBytesOverFull = 1'050'000;
 
 TEST_F(BinderLibTest, GargantuanVectorSent) {

diff --git a/libs/input/Input.cpp b/libs/input/Input.cpp
index 13ca9ec..4127f7c 100644
--- a/libs/input/Input.cpp
+++ b/libs/input/Input.cpp

@@ -929,6 +929,8 @@
         out << ", actionButton=" << std::to_string(event.getActionButton());
     }
     const size_t pointerCount = event.getPointerCount();
+    LOG_ALWAYS_FATAL_IF(pointerCount > MAX_POINTERS, "Too many pointers : pointerCount = %zu",
+                        pointerCount);
     for (size_t i = 0; i < pointerCount; i++) {
         out << ", id[" << i << "]=" << event.getPointerId(i);
         float x = event.getX(i);