commit 01be49fc9e6d7c60764daa8c813829a671a1c48f
author Ivan Lozano <ivanlozano@google.com> Thu Nov 09 10:03:38 2017 -0800
committer Ivan Lozano <ivanlozano@google.com> Thu Nov 09 11:00:27 2017 -0800
tree 929a93e510784221a7f6bd7e8a3ce46e6a0f8d70
parent d52f2e426c80136ecbdfe1124604164fa683d6e9

Fix sanitizer in surfaceflinger waitForEvent.

The loop in EventThread::waitForEvent as it is currently constructed
results in two unsigned overflows as a result of the increment/decrement
operation. This causes runtime errors on integer sanitized builds.
This patch refactors the loop to avoid these overflows.

Bug: 30969751
Test: Compiles and device boots. Runtime error no longer emitted.

Change-Id: I2eaa44c0910f19847d366210cafc947efaebfb2d

services/surfaceflinger/EventThread.cpp

diff --git a/services/surfaceflinger/EventThread.cpp b/services/surfaceflinger/EventThread.cpp
index a9bb2ba..f647742 100644
--- a/services/surfaceflinger/EventThread.cpp
+++ b/services/surfaceflinger/EventThread.cpp
@@ -248,7 +248,7 @@
 
         // find out connections waiting for events
         size_t count = mDisplayEventConnections.size();
-        for (size_t i=0 ; i<count ; i++) {
+        for (size_t i=0 ; i<count ; ) {
             sp<Connection> connection(mDisplayEventConnections[i].promote());
             if (connection != NULL) {
                 bool added = false;
@@ -279,11 +279,12 @@
                     // messages.
                     signalConnections.add(connection);
                 }
+                ++i;
             } else {
                 // we couldn't promote this reference, the connection has
                 // died, so clean-up!
                 mDisplayEventConnections.removeAt(i);
-                --i; --count;
+                --count;
             }
         }