Eliminate benign overflow condition triggered upon loop termination in Input.cpp In readFromParcel, a while loop is terminated when sampleCount = 0. The decrement operation that was here would decrease sampleCount, an unsigned value, below 0, triggering an unsigned integer overflow. The while loop was refactored to eliminate this condition. Bug: 24171356 Change-Id: I7669f54a41d11548b33e322b025431c6f6038952

commit: c94fc45bc5c07724e63e4da5151cfea90bd87986 [log] [tgz]
author: Dan Austin <danielaustin@google.com> Tue Sep 22 14:22:41 2015 -0700
committer: Dan Austin <danielaustin@google.com> Tue Sep 22 14:38:51 2015 -0700
tree: 02d2ebea2ff0e45ab0de00664363eb3d2b42e88e
parent: 251c8b3ff842363243c8eea25b369bd805af7aad [diff] [blame]
diff --git a/libs/input/Input.cpp b/libs/input/Input.cpp
index 69a6432..ecd2d90 100644
--- a/libs/input/Input.cpp
+++ b/libs/input/Input.cpp

@@ -452,7 +452,8 @@
         properties.toolType = parcel->readInt32();
     }
 
-    while (sampleCount-- > 0) {
+    while (sampleCount > 0) {
+        sampleCount--;
         mSampleEventTimes.push(parcel->readInt64());
         for (size_t i = 0; i < pointerCount; i++) {
             mSamplePointerCoords.push();
commit	c94fc45bc5c07724e63e4da5151cfea90bd87986	[log] [tgz]
author	Dan Austin <danielaustin@google.com>	Tue Sep 22 14:22:41 2015 -0700
committer	Dan Austin <danielaustin@google.com>	Tue Sep 22 14:38:51 2015 -0700
tree	02d2ebea2ff0e45ab0de00664363eb3d2b42e88e
parent	251c8b3ff842363243c8eea25b369bd805af7aad [diff] [blame]