ISurfaceComposer: boundary check input on CAPTURE_LAYERS Add a sanity check on numExcludeHandles to make sure we don't cause an overflow. Test: adb shell /data/nativetest64/SurfaceFlinger_test/SurfaceFlinger_test Fixes: 146435753 Change-Id: I2c700392727e2f4e0e434fb4c1800f2973c7418b

commit: b89ca7d6611e594d50fb709339395b65a9fd1267 [log] [tgz]
author: Ady Abraham <adyabr@google.com> Wed Mar 04 11:19:37 2020 -0800
committer: Ady Abraham <adyabr@google.com> Wed Mar 04 11:19:37 2020 -0800
tree: 21858bd0f3dbc764a553073508e6d5a428c10dac
parent: 09bea90a93d4d0ff8f7d34de233544f3b764f5c1 [diff] [blame]
diff --git a/services/surfaceflinger/SurfaceFlinger.h b/services/surfaceflinger/SurfaceFlinger.h
index d68edeb..947a426 100644
--- a/services/surfaceflinger/SurfaceFlinger.h
+++ b/services/surfaceflinger/SurfaceFlinger.h

@@ -351,7 +351,6 @@
     // every half hour.
     enum { LOG_FRAME_STATS_PERIOD =  30*60*60 };
 
-    static const size_t MAX_LAYERS = 4096;
     static const int MAX_TRACING_MEMORY = 100 * 1024 * 1024; // 100MB
 
 protected:
@@ -976,7 +975,7 @@
 
     // Can't be unordered_set because wp<> isn't hashable
     std::set<wp<IBinder>> mGraphicBufferProducerList;
-    size_t mMaxGraphicBufferProducerListSize = MAX_LAYERS;
+    size_t mMaxGraphicBufferProducerListSize = ISurfaceComposer::MAX_LAYERS;
     // If there are more GraphicBufferProducers tracked by SurfaceFlinger than
     // this threshold, then begin logging.
     size_t mGraphicBufferProducerListSizeLogThreshold =
commit	b89ca7d6611e594d50fb709339395b65a9fd1267	[log] [tgz]
author	Ady Abraham <adyabr@google.com>	Wed Mar 04 11:19:37 2020 -0800
committer	Ady Abraham <adyabr@google.com>	Wed Mar 04 11:19:37 2020 -0800
tree	21858bd0f3dbc764a553073508e6d5a428c10dac
parent	09bea90a93d4d0ff8f7d34de233544f3b764f5c1 [diff] [blame]