Prevent memory corruption from use-after-free

Bug: 19035637 If an app tries to call recycle() on a Bitmap that has already been finalized it will result in use-after-frees. This is bad. Avoid this by setting the pointer to 0 and checking for this Change-Id: I12d73703a0f95b05fe4c2fd8e9c01b6a3f2f023b
2015-01-23 10:57:15 -08:00
parent b74155cf01
commit 4018eb3763
1 changed files with 3 additions and 2 deletions
--- a/graphics/java/android/graphics/Bitmap.java
+++ b/graphics/java/android/graphics/Bitmap.java
@@ -304,7 +304,7 @@ public final class Bitmap implements Parcelable {
     * there are no more references to this bitmap.
     */
    public void recycle() {
-        if (!mRecycled) {
+        if (!mRecycled && mFinalizer.mNativeBitmap != 0) {
            if (nativeRecycle(mNativeBitmap)) {
                // return value indicates whether native pixel object was actually recycled.
                // false indicates that it is still in use at the native level and these
@@ -1571,7 +1571,7 @@ public final class Bitmap implements Parcelable {
    }

    private static class BitmapFinalizer {
-        private final long mNativeBitmap;
+        private long mNativeBitmap;

        // Native memory allocated for the duration of the Bitmap,
        // if pixel data allocated into native memory, instead of java byte[]
@@ -1597,6 +1597,7 @@ public final class Bitmap implements Parcelable {
                    VMRuntime.getRuntime().registerNativeFree(mNativeAllocationByteCount);
                }
                nativeDestructor(mNativeBitmap);
+                mNativeBitmap = 0;
            }
        }
    }