From 5bf8fc7edec7fcb8cdacec63cd4dcca29ffbeb38 Mon Sep 17 00:00:00 2001
From: Chia-I Wu <olv@google.com>
Date: Tue, 18 Jul 2017 11:30:05 -0700
Subject: surfaceflinger: fix a nullptr dereference

When the child layer latched a buffer but the fixed-size parent
layer never did (for reasons such as no buffer queued or buffer got
rejected), we could end up with p->mActiveBuffer being nullptr.

Bug: 62996512
Test: manual (I could never repro anyway)
Change-Id: Id7e4c7037633b8a37039baa6e8a306e55170b894
(cherry picked from commit 0a68b461d382304ae438fa8b52920fa75d178a1c)
(cherry picked from commit 2e00825332f1807316eca5b4b41527e3bbab841f)
---
 services/surfaceflinger/Layer.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/services/surfaceflinger/Layer.cpp b/services/surfaceflinger/Layer.cpp
index 88a5bd4a06..230520611b 100644
--- a/services/surfaceflinger/Layer.cpp
+++ b/services/surfaceflinger/Layer.cpp
@@ -2682,7 +2682,7 @@ Transform Layer::getTransform() const {
         // for in the transform. We need to mirror this scaling in child surfaces
         // or we will break the contract where WM can treat child surfaces as
         // pixels in the parent surface.
-        if (p->isFixedSize()) {
+        if (p->isFixedSize() && p->mActiveBuffer != nullptr) {
             int bufferWidth;
             int bufferHeight;
             if ((p->mCurrentTransform & NATIVE_WINDOW_TRANSFORM_ROT_90) == 0) {
-- 
cgit v1.2.3