diff options
Diffstat (limited to 'src/gpu')
| -rw-r--r-- | src/gpu/GrAHardwareBufferImageGenerator.cpp | 2 | ||||
| -rw-r--r-- | src/gpu/GrAHardwareBufferImageGenerator.h | 13 |
2 files changed, 13 insertions, 2 deletions
diff --git a/src/gpu/GrAHardwareBufferImageGenerator.cpp b/src/gpu/GrAHardwareBufferImageGenerator.cpp index 981337bb49..4920f1c809 100644 --- a/src/gpu/GrAHardwareBufferImageGenerator.cpp +++ b/src/gpu/GrAHardwareBufferImageGenerator.cpp @@ -348,7 +348,7 @@ void GrAHardwareBufferImageGenerator::makeProxy(GrContext* context) { AHardwareBuffer* hardwareBuffer = fHardwareBuffer; AHardwareBuffer_acquire(hardwareBuffer); - GrTexture** ownedTexturePtr = &fOwnedTexture; + GrGpuResource** ownedTexturePtr = &fOwnedTexture; const bool isProtectedContent = fIsProtectedContent; fCachedProxy = proxyProvider->createLazyProxy( diff --git a/src/gpu/GrAHardwareBufferImageGenerator.h b/src/gpu/GrAHardwareBufferImageGenerator.h index 1eefe1137c..ecf5d646a0 100644 --- a/src/gpu/GrAHardwareBufferImageGenerator.h +++ b/src/gpu/GrAHardwareBufferImageGenerator.h @@ -11,6 +11,8 @@ #include "GrTypesPriv.h" +class GrGpuResource; + extern "C" { typedef struct AHardwareBuffer AHardwareBuffer; } @@ -60,7 +62,16 @@ private: // There is never a ref associated with this pointer. We rely on our atomic bookkeeping // with the context ID to know when this pointer is valid and safe to use. This lets us // avoid releasing a ref from another thread, or get into races during context shutdown. - GrTexture* fOwnedTexture = nullptr; + // + // We store this object as a GrGpuResource* and not a GrTexture* even though we are always + // using a GrTexutre. The reason for this is that it is possible for the underlying GrTexture + // object to get freed before this class sends its unref message (i.e. if the owning GrContext + // is destroyed). In this case, when we try to create the unfef message to be posted, we end up + // casting the GrTexture* to a GrGpuResource*. Since GrTexture has virtual inheritance, this + // cast causes us to dereference the vptr to get the offset to the base pointer. In other words + // casting with virtual inheritance counts as a use and we hit a use after free issue. Thus if + // we store a GrGpuResource* here instead then we don't run into the issue of needing a cast. + GrGpuResource* fOwnedTexture = nullptr; uint32_t fOwningContextID = SK_InvalidGenID; uint32_t fBufferFormat; |