From 4018eb376383a9bbe2aa75a95cc6917ca72aa0b7 Mon Sep 17 00:00:00 2001 From: John Reck Date: Fri, 23 Jan 2015 10:57:15 -0800 Subject: [PATCH] Prevent memory corruption from use-after-free Bug: 19035637 If an app tries to call recycle() on a Bitmap that has already been finalized it will result in use-after-frees. This is bad. Avoid this by setting the pointer to 0 and checking for this Change-Id: I12d73703a0f95b05fe4c2fd8e9c01b6a3f2f023b --- graphics/java/android/graphics/Bitmap.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/graphics/java/android/graphics/Bitmap.java b/graphics/java/android/graphics/Bitmap.java index 3f79c2daab5d8..72f6118bce059 100644 --- a/graphics/java/android/graphics/Bitmap.java +++ b/graphics/java/android/graphics/Bitmap.java @@ -304,7 +304,7 @@ public final class Bitmap implements Parcelable { * there are no more references to this bitmap. */ public void recycle() { - if (!mRecycled) { + if (!mRecycled && mFinalizer.mNativeBitmap != 0) { if (nativeRecycle(mNativeBitmap)) { // return value indicates whether native pixel object was actually recycled. // false indicates that it is still in use at the native level and these @@ -1571,7 +1571,7 @@ public final class Bitmap implements Parcelable { } private static class BitmapFinalizer { - private final long mNativeBitmap; + private long mNativeBitmap; // Native memory allocated for the duration of the Bitmap, // if pixel data allocated into native memory, instead of java byte[] @@ -1597,6 +1597,7 @@ public final class Bitmap implements Parcelable { VMRuntime.getRuntime().registerNativeFree(mNativeAllocationByteCount); } nativeDestructor(mNativeBitmap); + mNativeBitmap = 0; } } }