Revert "SurfaceFlinger: Validate layers before casting." (2d814fb6) · Commits · e / os / android_frameworks_native-old

libs/gui/include/gui/SurfaceControl.h

+6 −3

Original line number	Original line	Diff line number	Diff line
	@@ -84,9 +84,6 @@ public:

	explicit SurfaceControl(const sp<SurfaceControl>& other);		explicit SurfaceControl(const sp<SurfaceControl>& other);

	SurfaceControl(const sp<SurfaceComposerClient>& client, const sp<IBinder>& handle,
	const sp<IGraphicBufferProducer>& gbp, bool owned);

	private:		private:
	// can't be copied		// can't be copied
	SurfaceControl& operator = (SurfaceControl& rhs);		SurfaceControl& operator = (SurfaceControl& rhs);
	@@ -95,6 +92,12 @@ private:
	friend class SurfaceComposerClient;		friend class SurfaceComposerClient;
	friend class Surface;		friend class Surface;

			SurfaceControl(
			const sp<SurfaceComposerClient>& client,
			const sp<IBinder>& handle,
			const sp<IGraphicBufferProducer>& gbp,
			bool owned);

	~SurfaceControl();		~SurfaceControl();

	sp<Surface> generateSurfaceLocked() const;		sp<Surface> generateSurfaceLocked() const;

services/surfaceflinger/Client.cpp

+10 −1

Original line number	Original line	Diff line number	Diff line
	@@ -76,9 +76,18 @@ status_t Client::createSurface(const String8& name, uint32_t w, uint32_t h, Pixe
	uint32_t flags, const sp<IBinder>& parentHandle,		uint32_t flags, const sp<IBinder>& parentHandle,
	LayerMetadata metadata, sp<IBinder>* handle,		LayerMetadata metadata, sp<IBinder>* handle,
	sp<IGraphicBufferProducer>* gbp) {		sp<IGraphicBufferProducer>* gbp) {
			sp<Layer> parent = nullptr;
			if (parentHandle != nullptr) {
			auto layerHandle = reinterpret_cast<Layer::Handle*>(parentHandle.get());
			parent = layerHandle->owner.promote();
			if (parent == nullptr) {
			return NAME_NOT_FOUND;
			}
			}

	// We rely on createLayer to check permissions.		// We rely on createLayer to check permissions.
	return mFlinger->createLayer(name, this, w, h, format, flags, std::move(metadata), handle, gbp,		return mFlinger->createLayer(name, this, w, h, format, flags, std::move(metadata), handle, gbp,
	parentHandle);		&parent);
	}		}

	status_t Client::createWithSurfaceParent(const String8& name, uint32_t w, uint32_t h,		status_t Client::createWithSurfaceParent(const String8& name, uint32_t w, uint32_t h,

services/surfaceflinger/Layer.cpp

+1 −0

Original line number	Original line	Diff line number	Diff line
	@@ -125,6 +125,7 @@ Layer::~Layer() {
	}		}

	mFrameTracker.logAndResetStats(mName);		mFrameTracker.logAndResetStats(mName);

	mFlinger->onLayerDestroyed();		mFlinger->onLayerDestroyed();
	}		}

services/surfaceflinger/RefreshRateOverlay.cpp

+2 −2

Original line number	Original line	Diff line number	Diff line
	@@ -31,9 +31,9 @@ bool RefreshRateOverlay::createLayer() {
	const status_t ret =		const status_t ret =
	mFlinger.createLayer(String8("RefreshRateOverlay"), mClient, 0, 0,		mFlinger.createLayer(String8("RefreshRateOverlay"), mClient, 0, 0,
	PIXEL_FORMAT_RGBA_8888, ISurfaceComposerClient::eFXSurfaceColor,		PIXEL_FORMAT_RGBA_8888, ISurfaceComposerClient::eFXSurfaceColor,
	LayerMetadata(), &mIBinder, &mGbp, nullptr);		LayerMetadata(), &mIBinder, &mGbp, &mLayer);
	if (ret) {		if (ret) {
	ALOGE("failed to create color layer");		ALOGE("failed to color layer");
	return false;		return false;
	}		}

services/surfaceflinger/SurfaceFlinger.cpp

+41 −77

Original line number	Original line	Diff line number	Diff line
	@@ -3418,20 +3418,12 @@ status_t SurfaceFlinger::addClientLayer(const sp<Client>& client,
	const sp<IBinder>& handle,		const sp<IBinder>& handle,
	const sp<IGraphicBufferProducer>& gbc,		const sp<IGraphicBufferProducer>& gbc,
	const sp<Layer>& lbc,		const sp<Layer>& lbc,
	const sp<IBinder>& parentHandle,		const sp<Layer>& parent,
	bool addToCurrentState)		bool addToCurrentState)
	{		{
	// add this layer to the current state list		// add this layer to the current state list
	{		{
	Mutex::Autolock _l(mStateLock);		Mutex::Autolock _l(mStateLock);
	sp<Layer> parent;
	if (parentHandle != nullptr) {
	parent = fromHandle(parentHandle);
	if (parent == nullptr) {
	return NAME_NOT_FOUND;
	}
	}

	if (mNumLayers >= MAX_LAYERS) {		if (mNumLayers >= MAX_LAYERS) {
	ALOGE("AddClientLayer failed, mNumLayers (%zu) >= MAX_LAYERS (%zu)", mNumLayers,		ALOGE("AddClientLayer failed, mNumLayers (%zu) >= MAX_LAYERS (%zu)", mNumLayers,
	MAX_LAYERS);		MAX_LAYERS);
	@@ -4042,10 +4034,10 @@ uint32_t SurfaceFlinger::addInputWindowCommands(const InputWindowCommands& input
	return flags;		return flags;
	}		}

	status_t SurfaceFlinger::createLayer(		status_t SurfaceFlinger::createLayer(const String8& name, const sp<Client>& client, uint32_t w,
	const String8& name, const sp<Client>& client, uint32_t w, uint32_t h, PixelFormat format,		uint32_t h, PixelFormat format, uint32_t flags,
	uint32_t flags, LayerMetadata metadata, sp<IBinder>* handle,		LayerMetadata metadata, sp<IBinder>* handle,
	sp<IGraphicBufferProducer>* gbp, const sp<IBinder>& parentHandle) {		sp<IGraphicBufferProducer>* gbp, sp<Layer>* parent) {
	if (int32_t(w\|h) < 0) {		if (int32_t(w\|h) < 0) {
	ALOGE("createLayer() failed, w or h is negative (w=%d, h=%d)",		ALOGE("createLayer() failed, w or h is negative (w=%d, h=%d)",
	int(w), int(h));		int(w), int(h));
	@@ -4110,14 +4102,12 @@ status_t SurfaceFlinger::createLayer(
	return result;		return result;
	}		}

	mLayersByLocalBinderToken.emplace((*handle)->localBinder(), layer);

	if (primaryDisplayOnly) {		if (primaryDisplayOnly) {
	layer->setPrimaryDisplayOnly();		layer->setPrimaryDisplayOnly();
	}		}

	bool addToCurrentState = callingThreadHasUnscopedSurfaceFlingerAccess();		bool addToCurrentState = callingThreadHasUnscopedSurfaceFlingerAccess();
	result = addClientLayer(client, handle, gbp, layer, parentHandle,		result = addClientLayer(client, handle, gbp, layer, *parent,
	addToCurrentState);		addToCurrentState);
	if (result != NO_ERROR) {		if (result != NO_ERROR) {
	return result;		return result;
	@@ -4235,16 +4225,6 @@ void SurfaceFlinger::onHandleDestroyed(sp<Layer>& layer)
	mCurrentState.layersSortedByZ.remove(layer);		mCurrentState.layersSortedByZ.remove(layer);
	}		}
	markLayerPendingRemovalLocked(layer);		markLayerPendingRemovalLocked(layer);

	auto it = mLayersByLocalBinderToken.begin();
	while (it != mLayersByLocalBinderToken.end()) {
	if (it->second == layer) {
	it = mLayersByLocalBinderToken.erase(it);
	} else {
	it++;
	}
	}

	layer.clear();		layer.clear();
	}		}

	@@ -5514,18 +5494,11 @@ status_t SurfaceFlinger::captureLayers(
	const bool mChildrenOnly;		const bool mChildrenOnly;
	};		};

	int reqWidth = 0;		auto layerHandle = reinterpret_cast<Layer::Handle*>(layerHandleBinder.get());
	int reqHeight = 0;		auto parent = layerHandle->owner.promote();
	sp<Layer> parent;
	Rect crop(sourceCrop);
	std::unordered_set<sp<Layer>, ISurfaceComposer::SpHash<Layer>> excludeLayers;

	{
	Mutex::Autolock _l(mStateLock);

	parent = fromHandle(layerHandleBinder);
	if (parent == nullptr \|\| parent->isRemovedFromCurrentState()) {		if (parent == nullptr \|\| parent->isRemovedFromCurrentState()) {
	ALOGE("captureLayers called with an invalid or removed parent");		ALOGE("captureLayers called with a removed parent");
	return NAME_NOT_FOUND;		return NAME_NOT_FOUND;
	}		}

	@@ -5536,6 +5509,7 @@ status_t SurfaceFlinger::captureLayers(
	return PERMISSION_DENIED;		return PERMISSION_DENIED;
	}		}

			Rect crop(sourceCrop);
	if (sourceCrop.width() <= 0) {		if (sourceCrop.width() <= 0) {
	crop.left = 0;		crop.left = 0;
	crop.right = parent->getBufferSize(parent->getCurrentState()).getWidth();		crop.right = parent->getBufferSize(parent->getCurrentState()).getWidth();
	@@ -5545,19 +5519,9 @@ status_t SurfaceFlinger::captureLayers(
	crop.top = 0;		crop.top = 0;
	crop.bottom = parent->getBufferSize(parent->getCurrentState()).getHeight();		crop.bottom = parent->getBufferSize(parent->getCurrentState()).getHeight();
	}		}
	reqWidth = crop.width() * frameScale;
	reqHeight = crop.height() * frameScale;

	for (const auto& handle : excludeHandles) {		int32_t reqWidth = crop.width() * frameScale;
	sp<Layer> excludeLayer = fromHandle(handle);		int32_t reqHeight = crop.height() * frameScale;
	if (excludeLayer != nullptr) {
	excludeLayers.emplace(excludeLayer);
	} else {
	ALOGW("Invalid layer handle passed as excludeLayer to captureLayers");
	return NAME_NOT_FOUND;
	}
	}
	} // mStateLock

	// really small crop or frameScale		// really small crop or frameScale
	if (reqWidth <= 0) {		if (reqWidth <= 0) {
	@@ -5567,6 +5531,18 @@ status_t SurfaceFlinger::captureLayers(
	reqHeight = 1;		reqHeight = 1;
	}		}

			std::unordered_set<sp<Layer>, ISurfaceComposer::SpHash<Layer>> excludeLayers;
			for (const auto& handle : excludeHandles) {
			BBinder* local = handle->localBinder();
			if (local != nullptr) {
			auto layerHandle = reinterpret_cast<Layer::Handle*>(local);
			excludeLayers.emplace(layerHandle->owner.promote());
			} else {
			ALOGW("Invalid layer handle passed as excludeLayer to captureLayers");
			return NAME_NOT_FOUND;
			}
			}

	LayerRenderArea renderArea(this, parent, crop, reqWidth, reqHeight, reqDataspace, childrenOnly);		LayerRenderArea renderArea(this, parent, crop, reqWidth, reqHeight, reqDataspace, childrenOnly);
	auto traverseLayers = [parent, childrenOnly,		auto traverseLayers = [parent, childrenOnly,
	&excludeLayers](const LayerVector::Visitor& visitor) {		&excludeLayers](const LayerVector::Visitor& visitor) {
	@@ -5937,18 +5913,6 @@ void SurfaceFlinger::SetInputWindowsListener::onSetInputWindowsFinished() {
	mFlinger->setInputWindowsFinished();		mFlinger->setInputWindowsFinished();
	}		}

	sp<Layer> SurfaceFlinger::fromHandle(const sp<IBinder>& handle) {
	BBinder *b = handle->localBinder();
	if (b == nullptr) {
	return nullptr;
	}
	auto it = mLayersByLocalBinderToken.find(b);
	if (it != mLayersByLocalBinderToken.end()) {
	return it->second.promote();
	}
	return nullptr;
	}

	} // namespace android		} // namespace android

	#if defined(__gl_h_)		#if defined(__gl_h_)