Merge cherrypicks of ['googleplex-android-review.googlesource.com/31313621', 'googleplex-android-review.googlesource.com/31451125'] into security-aosp-tm-release.
Change-Id: Ia233982452c0be06ac3741c30777da0e639efaa0
diff --git a/services/inputflinger/dispatcher/InputDispatcher.cpp b/services/inputflinger/dispatcher/InputDispatcher.cpp
index 5e9427a..8419bbd 100644
--- a/services/inputflinger/dispatcher/InputDispatcher.cpp
+++ b/services/inputflinger/dispatcher/InputDispatcher.cpp
@@ -5729,9 +5729,7 @@
bool restartEvent;
if (dispatchEntry->eventEntry->type == EventEntry::Type::KEY) {
- KeyEntry& keyEntry = static_cast<KeyEntry&>(*(dispatchEntry->eventEntry));
- restartEvent =
- afterKeyEventLockedInterruptable(connection, dispatchEntry, keyEntry, handled);
+ restartEvent = afterKeyEventLockedInterruptable(connection, dispatchEntry, handled);
} else if (dispatchEntry->eventEntry->type == EventEntry::Type::MOTION) {
MotionEntry& motionEntry = static_cast<MotionEntry&>(*(dispatchEntry->eventEntry));
restartEvent = afterMotionEventLockedInterruptable(connection, dispatchEntry, motionEntry,
@@ -5959,7 +5957,17 @@
bool InputDispatcher::afterKeyEventLockedInterruptable(const sp<Connection>& connection,
DispatchEntry* dispatchEntry,
- KeyEntry& keyEntry, bool handled) {
+ bool handled) {
+ // The dispatchEntry is currently valid, but it might point to a deleted object after we release
+ // the lock. For simplicity, make copies of the data of interest here and assume that
+ // 'dispatchEntry' is not valid after this section.
+ // Hold a strong reference to the EventEntry to ensure it's valid for the duration of this
+ // function, even if the DispatchEntry gets destroyed and releases its share of the ownership.
+ std::shared_ptr<EventEntry> eventEntry = dispatchEntry->eventEntry;
+ const bool hasForegroundTarget = dispatchEntry->hasForegroundTarget();
+ KeyEntry& keyEntry = static_cast<KeyEntry&>(*(eventEntry));
+ // To prevent misuse, ensure dispatchEntry is no longer valid.
+ dispatchEntry = nullptr;
if (keyEntry.flags & AKEY_EVENT_FLAG_FALLBACK) {
if (!handled) {
// Report the key as unhandled, since the fallback was not handled.
@@ -5976,7 +5984,7 @@
connection->inputState.removeFallbackKey(originalKeyCode);
}
- if (handled || !dispatchEntry->hasForegroundTarget()) {
+ if (handled || !hasForegroundTarget) {
// If the application handles the original key for which we previously
// generated a fallback or if the window is not a foreground window,
// then cancel the associated fallback key, if any.
diff --git a/services/inputflinger/dispatcher/InputDispatcher.h b/services/inputflinger/dispatcher/InputDispatcher.h
index ed89ed0..088e25e 100644
--- a/services/inputflinger/dispatcher/InputDispatcher.h
+++ b/services/inputflinger/dispatcher/InputDispatcher.h
@@ -662,7 +662,7 @@
void updateLastAnrStateLocked(const std::string& windowLabel, const std::string& reason)
REQUIRES(mLock);
bool afterKeyEventLockedInterruptable(const sp<Connection>& connection,
- DispatchEntry* dispatchEntry, KeyEntry& keyEntry,
+ DispatchEntry* dispatchEntry,
bool handled) REQUIRES(mLock);
bool afterMotionEventLockedInterruptable(const sp<Connection>& connection,
DispatchEntry* dispatchEntry, MotionEntry& motionEntry,
diff --git a/services/surfaceflinger/EffectLayer.h b/services/surfaceflinger/EffectLayer.h
index 1dcb633..de0a757 100644
--- a/services/surfaceflinger/EffectLayer.h
+++ b/services/surfaceflinger/EffectLayer.h
@@ -64,6 +64,7 @@
bool fillsColor() const;
// Returns true if this layer has a blur value.
bool hasBlur() const;
+ bool needsInputInfo() const override { return fillsColor() || hasInputInfo(); }
bool hasSomethingToDraw() const { return fillsColor() || drawShadows() || hasBlur(); }
};