commit 0d12f7a427e98e54b9dc72cadb994f5cb034eb13
author Michael Wright <michaelwr@google.com> Tue Jun 20 21:21:27 2017 +0100
committer Michael Wright <michaelwr@google.com> Wed Jun 21 15:21:18 2017 +0000
tree bcdda875f7fea681a53bf13253c25d7c2afb4e53
parent 592e85b4fdbf423d7afa32eb69c7fbae2dd960b4

Make the log message in setInteractive a local variable.

If the error message isn't a local variable, it will go out of scope
immediately after LogIfSlow is constructed. Unfortunately, LogIfSlow
maintains a pointer to String8s internal char* member... which causes a
use after free when it goes to log. Oops.

Bug: 62820330
Test: none
Change-Id: Ie1da3be723f8aae165822002ff42954480a43aa5

services/core/jni/com_android_server_power_PowerManagerService.cpp

diff --git a/services/core/jni/com_android_server_power_PowerManagerService.cpp b/services/core/jni/com_android_server_power_PowerManagerService.cpp
index c722629..86c5e99 100644
--- a/services/core/jni/com_android_server_power_PowerManagerService.cpp
+++ b/services/core/jni/com_android_server_power_PowerManagerService.cpp
@@ -157,8 +157,10 @@
 static void nativeSetInteractive(JNIEnv* /* env */, jclass /* clazz */, jboolean enable) {
     std::lock_guard<std::mutex> lock(gPowerHalMutex);
     if (getPowerHal()) {
-        String8 err("Excessive delay in setInteractive(%s) while turning screen %s");
-        ALOGD_IF_SLOW(20, String8::format(err, enable ? "true" : "false", enable ? "on" : "off"));
+        String8 err = String8::format(
+                "Excessive delay in setInteractive(%s) while turning screen %s",
+                enable ? "true" : "false", enable ? "on" : "off");
+        ALOGD_IF_SLOW(20, err);
         Return<void> ret = gPowerHal->setInteractive(enable);
         processReturn(ret, "setInteractive");
     }