Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 34ff878a authored by Ivan Lozano's avatar Ivan Lozano
Browse files

Fix sanitizer in handleTransitionLocked. 

The loop as constructed in handleTransitionLocked potentially leads to
two unsigned integer overflows on the i = 0 loop on integer sanitized
builds.

 runtime error: unsigned integer overflow: 0 - 1 cannot be represented in
 type 'size_t' (aka 'unsigned long')

 runtime error: unsigned integer overflow: 18446744073709551615 + 1
 cannot be represented in type 'size_t' (aka 'unsigned long')

This refactors the loop to prevent the overflow.

Bug: 30969751
Test: Compiles, device boots.

Change-Id: Ia660dffbee3da9667d5e266cc85798eb458660ac
Merged-In: Ia660dffbee3da9667d5e266cc85798eb458660ac
parent a9c7e6d1

services/surfaceflinger/SurfaceFlinger.cpp

+3 −2
Original line number Diff line number Diff line
@@ -2131,7 +2131,7 @@ void SurfaceFlinger::handleTransactionLocked(uint32_t transactionFlags) 
            // (ie: in drawing state but not in current state)

            // also handle displays that changed

            // (ie: displays that are in both lists)

            for (size_t i=0 ; i<dc ; i++) {

            for (size_t i=0 ; i<dc ;) {

                const ssize_t j = curr.indexOfKey(draw.keyAt(i));

                if (j < 0) {

                    // in drawing state but not in current state
@@ -2166,7 +2166,7 @@ void SurfaceFlinger::handleTransactionLocked(uint32_t transactionFlags) 
                            hw->disconnect(getHwComposer());

                        mDisplays.removeItem(display);

                        mDrawingState.displays.removeItemsAt(i);

                        dc--; i--;

                        dc--;

                        // at this point we must loop to the next item

                        continue;

                    }
@@ -2188,6 +2188,7 @@ void SurfaceFlinger::handleTransactionLocked(uint32_t transactionFlags) 
                        }

                    }

                }

                ++i;

            }



            // find displays that were added