Fix sanitizer in handleTransitionLocked.
The loop as constructed in handleTransitionLocked potentially leads to
two unsigned integer overflows on the i = 0 loop on integer sanitized
builds.
runtime error: unsigned integer overflow: 0 - 1 cannot be represented in
type 'size_t' (aka 'unsigned long')
runtime error: unsigned integer overflow: 18446744073709551615 + 1
cannot be represented in type 'size_t' (aka 'unsigned long')
This refactors the loop to prevent the overflow.
Bug: 30969751
Test: Compiles, device boots.
Change-Id: Ia660dffbee3da9667d5e266cc85798eb458660ac
diff --git a/services/surfaceflinger/SurfaceFlinger.cpp b/services/surfaceflinger/SurfaceFlinger.cpp
index 555f4a8..d1bbfa9 100644
--- a/services/surfaceflinger/SurfaceFlinger.cpp
+++ b/services/surfaceflinger/SurfaceFlinger.cpp
@@ -2150,7 +2150,7 @@
// (ie: in drawing state but not in current state)
// also handle displays that changed
// (ie: displays that are in both lists)
- for (size_t i=0 ; i<dc ; i++) {
+ for (size_t i=0 ; i<dc ;) {
const ssize_t j = curr.indexOfKey(draw.keyAt(i));
if (j < 0) {
// in drawing state but not in current state
@@ -2185,7 +2185,7 @@
hw->disconnect(getHwComposer());
mDisplays.removeItem(display);
mDrawingState.displays.removeItemsAt(i);
- dc--; i--;
+ dc--;
// at this point we must loop to the next item
continue;
}
@@ -2207,6 +2207,7 @@
}
}
}
+ ++i;
}
// find displays that were added