DynamicRefTables parsed from apks are missing bounds checks that prevent
buffer overflows. This changes verifies the bounds of the header before
attempting to preform operations on the chunk.
Bug: 79488511
Test: run cts -m CtsAppSecurityHostTestCases \
-t android.appsecurity.cts.CorruptApkTests
Change-Id: I02c8ad957da244fce777ac68a482e4e8fa70f846
Merged-In: I02c8ad957da244fce777ac68a482e4e8fa70f846
The WebView was unable to draw into either a standard clipped
layer or the "fading edges" unclipped layer. This CL and its
companion test cases ensure that both work with simple and
complex clips.
Bug: 79619253
Bug: 80443556
Bug: 80477645
Test: atest CtsUiRenderingTestCases:.LayerTests
Merged-In: I0e16b724f74415a61cc2a841ccf4a491f293ac94
Change-Id: I4900222975fc841b11828916878fb0ea6d87dcda
Make sure view port and frame buffer are set to the correct values
before calling GL functor (WebView) draw.
Improve correctness for stencil clip by doing a second flush that
guarantees the stencil clear will be executed after draw commands.
Bug: 79619253
Test: XFINITY Connect app draws correctly
Change-Id: Ieb3d0d70caf0469b6393e6287f8529cd86519301
Changes the logs adding in a previous security fix to warnings so
devices with malformed APKs currently on them will not undergo DOS when
they are upgraded to P.
Bug: 79724567
Test: run cts -m CtsAppSecurityHostTestCases \
-t android.appsecurity.cts.CorruptApkTests
Change-Id: Ied54e4bb14abdaf79da562022c7ea6075187c1f8
Otherwise it could lead to parameters applied in the wrong frame,
leading to jank.
Test: Open notification
Bug: 78611607
Change-Id: Ia7900e753b29187a7a7b81f393666687e8b8e04b
Merged-In: Ia7900e753b29187a7a7b81f393666687e8b8e04b
Bug: 78866720
Test: Manual + systrace; existing CTS
Previously, we set hasAnimations to true when the AnimatedImageDrawable,
so that we would get a call to redraw. But if the image does not need to
show its next frame yet, the redraw was unnecessary.
Instead, add a new field to TreeInfo::Out, representing the delay time
until the image will need to be redrawn - i.e. when the duration of the
current frame has passed. Each call to prepareTree will post at most one
message to redraw, in time for the earliest animated image to be
redrawn. Post the message for one rendered frame ahead of time, so that
when it is time to show the next frame, the image has already gotten the
message to update.
On a screen with a single animated image, this drops the number of calls
to dispatchFrameCallbacks to as infrequent as possible. It is called
only when we need to draw a new frame of the image. On a screen with
multiple animated images, the calls may be redundant, but they will not
be more frequent than they would be without this change.
Switch to nsecs_t and systemTime internally, matching the rest of HWUI.
Remove mDidDraw and related. Its purpose was to prevent advancing the
animation while the image is not being drawn. But it isn't really
necessary. If it's not drawn, onDraw is not called, which is where we
trigger decoding. And onDraw already has a defense against getting too
far ahead - if its timer indicates that it should skip a frame or show
it very briefly, it will back up its timer. More importantly, mDidDraw
caused a bug, when combined with less frequent redraws. If the display
list containing the drawable doesn't need to be redrawn for other
reasons, the drawable's timer never advanced, so its animation stopped.
Fix software drawing. Compute the milliseconds in the future to draw the
next frame, and add that to SystemClock.uptimeMillis() to compute the
time to pass to scheduleSelf.
Change-Id: I13aab49922fa300f73b327be25561d7120c09ec4
XmlBlocks are cached in ResourcesImpl::loadXmlResourceParser(...) and
when asset manager invalidates itself, the references to the dynamic
reference tables point to garbage. Now, the reference table is cloned
when the XmlBlock is created so invalidation will not affect the
XmlTree.
Bug: 74240254
Test: Tested GoogleMaps on 9.75.7 and saw crashes stop
Change-Id: I932db7a85fddc640c4d6ec327f534b5a1ad6d0b1
Bug: 77917978
Test: Look at toggles; CtsUiRenderingTestCases
Prior to this change, the toggles look pixelated due to using a
"nearest" filter instead of a "bilerp".
This matches the behavior of the hwui renderer.
Depends on changes in Skia (Ib7d0abdd51981bddf36ec5c3fd84bb651f405f0f)
to respect the filter quality when drawing to a GPU canvas and to
remove the resulting "bleeding" effect from drawImageLattice.
Change-Id: I59d81a17f351e18574539479a38a580a02e1619b
It will only print out a dump for userdebug or eng builds.
Bug: 77727638
Test: flash device and check output of incident proto and
'dumpsys batterystats -c --history'
Merged-In: Ib74d4c664f23a61e6fc33f700ba6a3c6fad32c74
Change-Id: Ia0c993d1281cc350d93f9c13f5540b349a4bfb84
AAPT would not print resource values for splits passed in with the -I
flag. This fix prints out each split separately with the correct type
specs and values.
Bug: 79195967
Test: aapt dump --values -I base-hdpi.apk resources base-master.apk
Change-Id: I223186136e98180fec4a3d96f92f53407db59e2d
This is a temporary solution to bypass failure of reading cpu info or
battery type in P if the path doesn't exist on some devices. See bug for
details. However in Q, incidentd should implement reading from the
common Linux kernel interfaces.
Bug: 78028767
Bug: 78239764
Test: atest incidentd_test
Change-Id: I08ffcb21709efe5478d2ac46121deb5795af1024
Merged-In: I08ffcb21709efe5478d2ac46121deb5795af1024
This CL extracts the android_dataspace from the GLConsumer and converts
it to a SkColorSpace. HWUI always expects to composite into an sRGB
destination so when we draw the layer we run the draw through a
colorFilter that converts the input colorSpace into that of the
destination.
Test: CtsViewTestCases
Bug: 78016220
Merged-In: Ic0446a0d861e86a5a9d0382346b57fcc45c8a61b
Change-Id: Ic0446a0d861e86a5a9d0382346b57fcc45c8a61b
create_recording_canvas expects as a last parameter a render node,
which is used to reuse deallocated display lists. Passing the
render node improved performance in several tests and it is
matching how HWUI is using that API too.
bug: 69131471
Test: tvappGlTex DrawFrame is 1ms faster
Change-Id: I93d8da694c178d3fb8d1aa52afa76dd8271e93cb
Pre-O, the platform treats negative resource IDs [those with
a package ID of 0x80 or higher] as invalid. In order to work
around this limitation, we allow the use of traditionally
reserved resource IDs [those between 0x02 and 0x7E].
Bug: 78041707
Test: ./out/host/linux-x86/nativetest64/aapt2_tests/aapt2_tests
Test: ./out/host/linux-x86/nativetest/libandroidfw_tests/libandroidfw_tests
Test: Manual. Create a feature split with a package ID of 0x7E and see it runs and can reference base resources.
Change-Id: I3d9782cc05d3a55e1a2467bf39566788847e1160
Bug: 78463311
Test: I28713c3e5ce38dea15c75542801f9aef0e5b5b0a
Bitmap::getSkBitmap() is used by Bitmap#compress before encoding. If the
Bitmap has Config HARDWARE, we have to do a readback first. We cannot
necessarily do the readback using the SkColorSpace of the Bitmap, since
that requires creating an SkSurface, which does not support all
SkColorSpaces. Instead, continue using nullptr for the readback, and
then change the info and reattach the SkPixelRef.
This fixes a bug where encoding a non-SRGB HARDWARE Bitmap and then
decoding it results in a Bitmap with the wrong ColorSpace.
Change-Id: If55b2dbfeb17d81ceaf9594b32ed69b6a9058f06
+ The socket listener is behind a flag. It's disabled until we get sepolicy changes in.
+ Data parsing code is from logd, because we use the same format.
+ Removed Davey from JankTracker because it violates our new sepolicy
Test: manually
Bug: 78239479
Change-Id: Ib17729fbc362cdb13385f780e2d636a95adf9bc3
AAPT would allow for ids to be declared in the form:
<item name="name" type="id>@id/other</item>
@id/name should hold a reference to @id/other. When
getResources().getValue() is called on R.id.name with resolveRefs
enabled, the resuling reference should be R.id.other.
Bug: 69445910
Test: Created tests for correct parsing of id references and correct
resolving of deep references
Change-Id: Id1feb37b2565c213dc6a19b4c401906260d7fc14
Adds detection of attacker-modified size and data fields passed to
ResStringPool::setTo(). These attacks are modified apks that AAPT would
not normally generate. In the rare case this occurs, the installation
cannot be allowed to continue.
Bug: 71361168
Bug: 71360999
Test: run cts -m CtsAppSecurityHostTestCases \
-t android.appsecurity.cts.CorruptApkTests
Change-Id: If7eb93a9e723b16c8a0556fc4e20006aa0391d57
Merged-In: If7eb93a9e723b16c8a0556fc4e20006aa0391d57
Style resources with circular parental dependencies caused infinite
recursion when calling AssetManager2::GetBag. This fix allows recursion
to cease when a circular dependency is found.
Bug: 77928512
Change-Id: Ib900c36ab1aef5da5b03234a9484c4dad3b63c02
Test: Manual test of b/77928512 and duplicates of 74493983
