From 7ee0dba09550811040df4d7b494766f7d146e3de Mon Sep 17 00:00:00 2001 From: Ivan Lozano Date: Thu, 14 Dec 2017 12:25:36 -0800 Subject: Fix doFadingAnimationLocked in sanitized builds. The loop as constructed causes i to overflow twice when i = 0 on integer overflow sanitized builds. runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'size_t' (aka 'unsigned long') runtime error: unsigned integer overflow: 18446744073709551615 + 1 cannot be represented in type 'size_t' (aka 'unsigned long') This refactors the loop to avoid the overflows. Bug: 30969751 Test: Compiles, device boots, enabled pointer location overlay. Change-Id: I844bb3b84b1f536c50d06fb489fcc22590d4aa98 --- libs/input/PointerController.cpp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'libs/input/PointerController.cpp') diff --git a/libs/input/PointerController.cpp b/libs/input/PointerController.cpp index 7c6046789cdc..e3af65532f85 100644 --- a/libs/input/PointerController.cpp +++ b/libs/input/PointerController.cpp @@ -551,18 +551,20 @@ bool PointerController::doFadingAnimationLocked(nsecs_t timestamp) { } // Animate spots that are fading out and being removed. - for (size_t i = 0; i < mLocked.spots.size(); i++) { + for (size_t i = 0; i < mLocked.spots.size();) { Spot* spot = mLocked.spots.itemAt(i); if (spot->id == Spot::INVALID_ID) { spot->alpha -= float(frameDelay) / SPOT_FADE_DURATION; if (spot->alpha <= 0) { - mLocked.spots.removeAt(i--); + mLocked.spots.removeAt(i); releaseSpotLocked(spot); + continue; } else { spot->sprite->setAlpha(spot->alpha); keepAnimating = true; } } + ++i; } return keepAnimating; } -- cgit v1.2.3-59-g8ed1b