summaryrefslogtreecommitdiff
path: root/libs
diff options
context:
space:
mode:
authorsongjinshi <songjinshi@xiaomi.com>2016-09-08 15:24:30 +0800
committerAdam Lesinski <adamlesinski@google.com>2016-10-03 20:13:12 +0000
commit5754b41c201a388e4e932b18d285d765d7e63536 (patch)
tree4ed936836cbad3be2bf58e65e3b6c71b380ea173 /libs
parentbf79852ae4ffdeee8c31d6b852ebc4ad8062de37 (diff)
downloadandroid-frameworks-base-5754b41c201a388e4e932b18d285d765d7e63536.tar.gz
android-frameworks-base-5754b41c201a388e4e932b18d285d765d7e63536.tar.xz
Fix thread race caused double free issue.
The SharedZip's Asset is not thread-safety,the getResourceTableAsset() and setResourceTableAsset(Asset* asset) function of the SharedZip is not sync with a same lock. Consider the following sequence of events: Thread A calls setResourceTableAsset(Asset* asset),it will set mResourceTableAsset = asset; then to calls getBuffer() of the asset. Thread B calls getResourceTableAsset(),which return mResourceTableAsset, then to calls getBuffer() of the mResourceTableAsset,the asset and mResourceTableAsset is same one object. Thread A to delete mZipInflater in getBuffer(). Thread B to delete mZipInflater in getBuffer(). It will cause crash becuase double delete mZipInflater in getBuffer(). https://code.google.com/p/android/issues/detail?id=211941 Bug:31734545 Change-Id: I5a7d67fdf64c4aa03f505b37a2fa840f4443d158 Signed-off-by: songjinshi <songjinshi@xiaomi.com>
Diffstat (limited to 'libs')
-rw-r--r--libs/androidfw/AssetManager.cpp3
1 files changed, 2 insertions, 1 deletions
diff --git a/libs/androidfw/AssetManager.cpp b/libs/androidfw/AssetManager.cpp
index f50cff4..8ea25d6 100644
--- a/libs/androidfw/AssetManager.cpp
+++ b/libs/androidfw/AssetManager.cpp
@@ -1892,6 +1892,7 @@ ZipFileRO* AssetManager::SharedZip::getZip()
Asset* AssetManager::SharedZip::getResourceTableAsset()
{
+ AutoMutex _l(gLock);
ALOGV("Getting from SharedZip %p resource asset %p\n", this, mResourceTableAsset);
return mResourceTableAsset;
}
@@ -1901,10 +1902,10 @@ Asset* AssetManager::SharedZip::setResourceTableAsset(Asset* asset)
{
AutoMutex _l(gLock);
if (mResourceTableAsset == NULL) {
- mResourceTableAsset = asset;
// This is not thread safe the first time it is called, so
// do it here with the global lock held.
asset->getBuffer(true);
+ mResourceTableAsset = asset;
return asset;
}
}