Fix use-after-free in vector drawable animation
Added a strong pointer to hold reference to VD in the animation,
so that VD will not be released before animation is finished/destroyed.
BUG: 29438210
Change-Id: I311cd83043f988640de44f637cb474baada9b5ca
diff --git a/libs/hwui/PropertyValuesAnimatorSet.h b/libs/hwui/PropertyValuesAnimatorSet.h
index 49021bc..f9274e1 100644
--- a/libs/hwui/PropertyValuesAnimatorSet.h
+++ b/libs/hwui/PropertyValuesAnimatorSet.h
@@ -60,7 +60,7 @@
virtual uint32_t dirtyMask();
bool isInfinite() { return mIsInfinite; }
void setVectorDrawable(VectorDrawableRoot* vd) { mVectorDrawable = vd; }
- VectorDrawableRoot* getVectorDrawable() const { return mVectorDrawable; }
+ VectorDrawableRoot* getVectorDrawable() const { return mVectorDrawable.get(); }
AnimationListener* getOneShotListener() { return mOneShotListener.get(); }
void clearOneShotListener() { mOneShotListener = nullptr; }
uint32_t getRequestId() const { return mRequestId; }
@@ -78,7 +78,7 @@
std::vector< std::unique_ptr<PropertyAnimator> > mAnimators;
float mLastFraction = 0.0f;
bool mInitialized = false;
- VectorDrawableRoot* mVectorDrawable = nullptr;
+ sp<VectorDrawableRoot> mVectorDrawable;
bool mIsInfinite = false;
// This request id gets incremented (on UI thread only) when a new request to modfiy the
// lifecycle of an animation happens, namely when start/end/reset/reverse is called.
