Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 37973d9a authored by Alec Mouri's avatar Alec Mouri
Browse files

Fix ownership for RenderArea in screenshots. 

RenderArea was previously owned by captureScreenshot(), and was borrowed by renderScreenImpl(). But renderScreenImpl asynchronously executes screenshot rendering which relies on the render area, which causes a use-after-free. Instead, pass ownership to renderScreenImpl.

Bug: 389887557
Change-Id: I37035b34d55f4847db9722371ea492364f7706fe
Flag: EXEMPT bug fix
Test: courage
parent 1da78218

services/surfaceflinger/SurfaceFlinger.cpp

+4 −3
Original line number Diff line number Diff line
@@ -7575,7 +7575,7 @@ ftl::SharedFuture<FenceResult> SurfaceFlinger::captureScreenshot( 


    if (hdrBuffer && gainmapBuffer) {

        ftl::SharedFuture<FenceResult> hdrRenderFuture =

                renderScreenImpl(renderArea.get(), hdrBuffer, regionSampling, grayscale,

                renderScreenImpl(std::move(renderArea), hdrBuffer, regionSampling, grayscale,

                                 isProtected, captureResults, displayState, layers);

        captureResults.buffer = buffer->getBuffer();

        captureResults.optionalGainMap = gainmapBuffer->getBuffer();
@@ -7599,7 +7599,7 @@ ftl::SharedFuture<FenceResult> SurfaceFlinger::captureScreenshot( 
                        })

                        .share();

    } else {

        renderFuture = renderScreenImpl(renderArea.get(), buffer, regionSampling, grayscale,

        renderFuture = renderScreenImpl(std::move(renderArea), buffer, regionSampling, grayscale,

                                        isProtected, captureResults, displayState, layers);

    }
@@ -7620,7 +7620,8 @@ ftl::SharedFuture<FenceResult> SurfaceFlinger::captureScreenshot( 
}



ftl::SharedFuture<FenceResult> SurfaceFlinger::renderScreenImpl(

        const RenderArea* renderArea, const std::shared_ptr<renderengine::ExternalTexture>& buffer,

        std::unique_ptr<const RenderArea> renderArea,

        const std::shared_ptr<renderengine::ExternalTexture>& buffer,

        bool regionSampling, bool grayscale, bool isProtected, ScreenCaptureResults& captureResults,

        const std::optional<OutputCompositionState>& displayState,

        const std::vector<std::pair<Layer*, sp<LayerFE>>>& layers) {

services/surfaceflinger/SurfaceFlinger.h

+2 −1
Original line number Diff line number Diff line
@@ -894,7 +894,8 @@ private: 
            const std::shared_ptr<renderengine::ExternalTexture>& gainmapBuffer = nullptr);



    ftl::SharedFuture<FenceResult> renderScreenImpl(

            const RenderArea*, const std::shared_ptr<renderengine::ExternalTexture>&,

            std::unique_ptr<const RenderArea> renderArea,

            const std::shared_ptr<renderengine::ExternalTexture>&,

            bool regionSampling, bool grayscale, bool isProtected, ScreenCaptureResults&,

            const std::optional<OutputCompositionState>& displayState,

            const std::vector<std::pair<Layer*, sp<LayerFE>>>& layers);

services/surfaceflinger/tests/unittests/TestableSurfaceFlinger.h

+1 −1
Original line number Diff line number Diff line
@@ -473,7 +473,7 @@ public: 
        auto displayState = std::optional{display->getCompositionDisplay()->getState()};

        auto layers = getLayerSnapshotsFn();



        return mFlinger->renderScreenImpl(renderArea.get(), buffer, regionSampling,

        return mFlinger->renderScreenImpl(std::move(renderArea), buffer, regionSampling,

                                          false /* grayscale */, false /* isProtected */,

                                          captureResults, displayState, layers);

    }