commit 9a02eda8d5f95d754aa908e66089750183355511
author Alec Mouri <alecmouri@google.com> Tue Apr 21 17:39:34 2020 -0700
committer Alec Mouri <alecmouri@google.com> Wed Apr 22 11:24:30 2020 -0700
tree 97ebeea93991e0132e090c5fddd45fae92967989
parent 9bb4cfb009f1317605e8ff090e0ce930e15d4d40

Lookup layer handle when registering region sampling listener

We must do this in order to prevent clients from providing a bogus
handle when registering a region sampling listener. Fortunately, this
particular path required a permissions check so it cannot be accessed
from arbitrary apps on unrooted devices. But, we should not allow this
type of memory corruption to be reachable by the system.

Bug: 153467444
Test: libgui_test
Test: Repro steps in the bug no longer reproduce
Change-Id: I883506798574dfd0688371fdb6305cfad9d153fc

libs/gui/tests/RegionSampling_test.cpp

diff --git a/libs/gui/tests/RegionSampling_test.cpp b/libs/gui/tests/RegionSampling_test.cpp
index dbd4ef9..6746b0a 100644
--- a/libs/gui/tests/RegionSampling_test.cpp
+++ b/libs/gui/tests/RegionSampling_test.cpp
@@ -240,6 +240,19 @@
     float const luma_gray = 0.50;
 };
 
+TEST_F(RegionSamplingTest, invalidLayerHandle_doesNotCrash) {
+    sp<ISurfaceComposer> composer = ComposerService::getComposerService();
+    sp<Listener> listener = new Listener();
+    const Rect sampleArea{100, 100, 200, 200};
+    // Passing in composer service as the layer handle should not crash, we'll
+    // treat it as a layer that no longer exists and silently allow sampling to
+    // occur.
+    status_t status = composer->addRegionSamplingListener(sampleArea,
+                                                          IInterface::asBinder(composer), listener);
+    ASSERT_EQ(NO_ERROR, status);
+    composer->removeRegionSamplingListener(listener);
+}
+
 TEST_F(RegionSamplingTest, DISABLED_CollectsLuma) {
     fill_render(rgba_green);