Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4018eb37 authored by John Reck's avatar John Reck
Browse files

Prevent memory corruption from use-after-free 

Bug: 19035637

If an app tries to call recycle() on a Bitmap that has
already been finalized it will result in use-after-frees. This is
bad. Avoid this by setting the pointer to 0 and checking for this

Change-Id: I12d73703a0f95b05fe4c2fd8e9c01b6a3f2f023b
parent b74155cf

graphics/java/android/graphics/Bitmap.java

+3 −2
Original line number Diff line number Diff line
@@ -304,7 +304,7 @@ public final class Bitmap implements Parcelable { 
     * there are no more references to this bitmap.

     */

    public void recycle() {

        if (!mRecycled) {

        if (!mRecycled && mFinalizer.mNativeBitmap != 0) {

            if (nativeRecycle(mNativeBitmap)) {

                // return value indicates whether native pixel object was actually recycled.

                // false indicates that it is still in use at the native level and these
@@ -1571,7 +1571,7 @@ public final class Bitmap implements Parcelable { 
    }



    private static class BitmapFinalizer {

        private final long mNativeBitmap;

        private long mNativeBitmap;



        // Native memory allocated for the duration of the Bitmap,

        // if pixel data allocated into native memory, instead of java byte[]
@@ -1597,6 +1597,7 @@ public final class Bitmap implements Parcelable { 
                    VMRuntime.getRuntime().registerNativeFree(mNativeAllocationByteCount);

                }

                nativeDestructor(mNativeBitmap);

                mNativeBitmap = 0;

            }

        }

    }