Google Git
Sign in
android/platform/frameworks/native/c81cf361489e3a3cd764c0a0c85c84958e25d63c^!/.
commit
c81cf361489e3a3cd764c0a0c85c84958e25d63c
[log]
author
Alec Mouri <alecmouri@google.com>
Wed Nov 05 21:29:10 2025 +0000
committer
Android Build Coastguard Worker <android-build-coastguard-worker@google.com>
Wed Jan 07 21:39:59 2026 -0800
tree
7e6c88b9c81c9d4f6be35dc0525fce5a170d2fd1
parent
8ec74c568b5881901cad0f1147fdc607702101e0 [diff]
Clip to layer bounds when drawing blur regions

Otherwise blurs can "escape" layer bounds. This would make 1-2
pixel-large layers fill the entire screen if the blur region is
appropriately crafted, which is not great.

Bug: 455563813
Flag: EXEMPT CVE_FIX
Test: PoC app
Cherrypick-From: https://googleplex-android-review.googlesource.com/q/commit:123f8fec995a3103acbc3a1191b9cef71523e013
Cherrypick-From: https://googleplex-android-review.googlesource.com/q/commit:f3fecb02978030ae4066235cbe638250996b6a9a
Merged-In: If59833f2d5060f5f81395d602e2dcb369a10fdbb
Change-Id: If59833f2d5060f5f81395d602e2dcb369a10fdbb

diff --git a/libs/renderengine/skia/SkiaRenderEngine.cpp b/libs/renderengine/skia/SkiaRenderEngine.cpp
index 5b6edb4..46c58b0 100644
--- a/libs/renderengine/skia/SkiaRenderEngine.cpp
+++ b/libs/renderengine/skia/SkiaRenderEngine.cpp

@@ -907,6 +907,10 @@
             SkAutoCanvasRestore acr(canvas, true);
             if (!roundRectClip.isEmpty()) {
                 canvas->clipRRect(roundRectClip, true);
+            } else {
+                // We need to clip bounds here since otherwise a client sending a bigger blur region
+                // enables the blur to "escape" the layer bounds which is very bad for security
+                canvas->clipRRect(bounds, true);
             }
 
             // TODO(b/182216890): Filter out empty layers earlier