commit 65d9f6d63ab3bad1d835df14c662028a748eb3c5
author Pablo Ceballos <pceballos@google.com> Wed May 04 13:59:35 2016 -0700
committer Pablo Ceballos <pceballos@google.com> Wed May 04 13:59:35 2016 -0700
tree 43c44262ffd81ac12770791bb9e0225dbda7d3cc
parent 9a8ddb6e71605d5304226234ed01cedccf54e849

libgui: Prevent segfaulting in abandoned ConsumerBase

mConsumer will be null if the ConsumerBase has been abandoned. Prevent
it from being dereferenced in those cases.

Bug 27718219

Change-Id: I9a3ecadb0655ec61cd2fd15ee98b3e1bef078cff

libs/gui/ConsumerBase.cpp

diff --git a/libs/gui/ConsumerBase.cpp b/libs/gui/ConsumerBase.cpp
index 2187e5e..a6a9712 100644
--- a/libs/gui/ConsumerBase.cpp
+++ b/libs/gui/ConsumerBase.cpp
@@ -163,6 +163,10 @@
 
 void ConsumerBase::abandonLocked() {
     CB_LOGV("abandonLocked");
+    if (mAbandoned) {
+        CB_LOGE("abandonLocked: ConsumerBase is abandoned!");
+        return;
+    }
     for (int i =0; i < BufferQueue::NUM_BUFFER_SLOTS; i++) {
         freeBufferLocked(i);
     }
@@ -187,6 +191,11 @@
     CB_LOGV("detachBuffer");
     Mutex::Autolock lock(mMutex);
 
+    if (mAbandoned) {
+        CB_LOGE("detachBuffer: ConsumerBase is abandoned!");
+        return NO_INIT;
+    }
+
     status_t result = mConsumer->detachBuffer(slot);
     if (result != NO_ERROR) {
         CB_LOGE("Failed to detach buffer: %d", result);
@@ -200,17 +209,29 @@
 
 status_t ConsumerBase::setDefaultBufferSize(uint32_t width, uint32_t height) {
     Mutex::Autolock _l(mMutex);
+    if (mAbandoned) {
+        CB_LOGE("setDefaultBufferSize: ConsumerBase is abandoned!");
+        return NO_INIT;
+    }
     return mConsumer->setDefaultBufferSize(width, height);
 }
 
 status_t ConsumerBase::setDefaultBufferFormat(PixelFormat defaultFormat) {
     Mutex::Autolock _l(mMutex);
+    if (mAbandoned) {
+        CB_LOGE("setDefaultBufferFormat: ConsumerBase is abandoned!");
+        return NO_INIT;
+    }
     return mConsumer->setDefaultBufferFormat(defaultFormat);
 }
 
 status_t ConsumerBase::setDefaultBufferDataSpace(
         android_dataspace defaultDataSpace) {
     Mutex::Autolock _l(mMutex);
+    if (mAbandoned) {
+        CB_LOGE("setDefaultBufferDataSpace: ConsumerBase is abandoned!");
+        return NO_INIT;
+    }
     return mConsumer->setDefaultBufferDataSpace(defaultDataSpace);
 }
 
@@ -233,6 +254,11 @@
 
 status_t ConsumerBase::acquireBufferLocked(BufferItem *item,
         nsecs_t presentWhen, uint64_t maxFrameNumber) {
+    if (mAbandoned) {
+        CB_LOGE("acquireBufferLocked: ConsumerBase is abandoned!");
+        return NO_INIT;
+    }
+
     status_t err = mConsumer->acquireBuffer(item, presentWhen, maxFrameNumber);
     if (err != NO_ERROR) {
         return err;
@@ -289,6 +315,10 @@
 status_t ConsumerBase::releaseBufferLocked(
         int slot, const sp<GraphicBuffer> graphicBuffer,
         EGLDisplay display, EGLSyncKHR eglFence) {
+    if (mAbandoned) {
+        CB_LOGE("releaseBufferLocked: ConsumerBase is abandoned!");
+        return NO_INIT;
+    }
     // If consumer no longer tracks this graphicBuffer (we received a new
     // buffer on the same slot), the buffer producer is definitely no longer
     // tracking it.