From 93bfb8724aa5479d1af3e82d6477dc0d5aec321b Mon Sep 17 00:00:00 2001 From: Praveena Pachipulusu Date: Thu, 21 Nov 2013 18:57:31 +0530 Subject: [PATCH] SurfaceFlinger: Add NULL check for buffer handling Add buffer handling NULL check in dequeueBuffer and verify whether the output data from binder is not NULL in queueBuffer and connect api's to avoid SF crash CRs-Fixed: 573088 CRs-Fixed: 572315 Change-Id: I41cebbc0cbcbbb0fd5ecb38db7ec7b0c91cdffe9 --- libs/gui/IGraphicBufferProducer.cpp | 14 ++++++++++++-- libs/gui/Surface.cpp | 3 +++ 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/libs/gui/IGraphicBufferProducer.cpp b/libs/gui/IGraphicBufferProducer.cpp index c3c62358fa..da02c688c9 100644 --- a/libs/gui/IGraphicBufferProducer.cpp +++ b/libs/gui/IGraphicBufferProducer.cpp @@ -185,7 +185,12 @@ public: if (result != NO_ERROR) { return result; } - memcpy(output, reply.readInplace(sizeof(*output)), sizeof(*output)); + const void *out_data =reply.readInplace(sizeof(*output)); + if(out_data != NULL) { + memcpy(output, out_data, sizeof(*output)); + } else { + return BAD_VALUE; + } result = reply.readInt32(); return result; } @@ -227,7 +232,12 @@ public: if (result != NO_ERROR) { return result; } - memcpy(output, reply.readInplace(sizeof(*output)), sizeof(*output)); + const void *out_data =reply.readInplace(sizeof(*output)); + if(out_data != NULL) { + memcpy(output, out_data, sizeof(*output)); + } else { + return BAD_VALUE; + } result = reply.readInt32(); return result; } diff --git a/libs/gui/Surface.cpp b/libs/gui/Surface.cpp index ed24094fa2..4f8a9a15b8 100644 --- a/libs/gui/Surface.cpp +++ b/libs/gui/Surface.cpp @@ -257,6 +257,9 @@ int Surface::dequeueBuffer(android_native_buffer_t** buffer, int* fenceFd) { ALOGE("dequeueBuffer: IGraphicBufferProducer::requestBuffer failed: %d", result); mGraphicBufferProducer->cancelBuffer(buf, fence); return result; + } else if (gbuf == 0) { + ALOGE("dequeueBuffer: Buffer is null return"); + return INVALID_OPERATION; } } -- 2.11.0