Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5573471c authored by Jim Shargo's avatar Jim Shargo
Browse files

Surface: Don't immediately free dequeued buffers. 

The native API doesn't automatically take out a reference for buffers
that are dequeued--it depends on clients to take them, and says the
surface will generally hold onto these references. This can easily lead
to UAFs when the bufferqueue requests its producer to
RELEASE_ALL_BUFFERS and we release a dequeued buffer that is being
actively used (or worse, accidentally stored).

    The window holds a reference to the buffer between dequeueBuffer and
    either queueBuffer or cancelBuffer, so clients only need their own
    reference if they might use the buffer after queueing or canceling
    it.  Holding a reference to a buffer after queueing or canceling it
    is only allowed if a specific buffer count has been set.

I don't think this is a great experience and causes subtle bugs.
Instead, we should hold onto dequeued buffers for the entire time
they're dequeued, and release them only when they're
cancelled/queued/detached.

Bug: 413059222
Bug: 418318000
Bug: 420318909
Bug: 421921018
Flag: EXEMPT small fix
Test: atest libgui_test

Change-Id: Idcf08597dd79447555f0f2561b90e5063925c6df
parent 632bb8b6
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment