commit 54cf5b1a8636015eb3bf9b4aee2580e2d1d10a99
author Robert Carr <racarr@google.com> Fri Jan 25 14:02:28 2019 -0800
committer Robert Carr <racarr@google.com> Mon Jan 28 08:35:26 2019 -0800
tree 1e170c6a55d7c6855372485d5195abc000cdea7c
parent a2e7f7f613358cdbe205586d6151a2056d1c085c

Fix crash when reparenting layer to itself.

Currently this creates unbounded recursion and a SurfaceFlinger
crash.

Bug: 123283486
Test: Transaction_test.cpp
Change-Id: Ieae19cb3a7724de2ddb95a895328dd5b4a8d8782

services/surfaceflinger/Layer.cpp

diff --git a/services/surfaceflinger/Layer.cpp b/services/surfaceflinger/Layer.cpp
index e108d1e..f181220 100644
--- a/services/surfaceflinger/Layer.cpp
+++ b/services/surfaceflinger/Layer.cpp
@@ -1623,19 +1623,26 @@
         return false;
     }
 
+    sp<Layer> newParent;
+    if (newParentHandle != nullptr) {
+        auto handle = static_cast<Handle*>(newParentHandle.get());
+        newParent = handle->owner.promote();
+        if (newParent == nullptr) {
+            ALOGE("Unable to promote Layer handle");
+            return false;
+        }
+        if (newParent == this) {
+            ALOGE("Invalid attempt to reparent Layer (%s) to itself", getName().c_str());
+            return false;
+        }
+    }
+
     sp<Layer> parent = getParent();
     if (parent != nullptr) {
         parent->removeChild(this);
     }
 
     if (newParentHandle != nullptr) {
-        auto handle = static_cast<Handle*>(newParentHandle.get());
-        sp<Layer> newParent = handle->owner.promote();
-        if (newParent == nullptr) {
-            ALOGE("Unable to promote Layer handle");
-            return false;
-        }
-
         newParent->addChild(this);
         if (!newParent->isRemovedFromCurrentState()) {
             addToCurrentState();