diff options
| author | android-build-team Robot <android-build-team-robot@google.com> | 2020-03-27 23:25:49 +0000 |
|---|---|---|
| committer | android-build-team Robot <android-build-team-robot@google.com> | 2020-03-27 23:25:49 +0000 |
| commit | c5a15d8685a8e1b13b5574afec312b84754f7d06 (patch) | |
| tree | 7bfcbc43c5425acb3014dbcbbdcb9e6956ff5876 | |
| parent | 3da91af05b8071e14fd6e59627c8fd4ed40cdde2 (diff) | |
| parent | b022196fb65be10e5aee7bd3d5cc14ab50bb9eef (diff) | |
| download | platform_system_libhwbinder-android10-qpr3-s1-release.tar.gz platform_system_libhwbinder-android10-qpr3-s1-release.tar.bz2 platform_system_libhwbinder-android10-qpr3-s1-release.zip | |
Snap for 6341266 from b022196fb65be10e5aee7bd3d5cc14ab50bb9eef to qt-qpr3-releaseandroid-10.0.0_r41android-10.0.0_r40android-10.0.0_r39android-10.0.0_r38android-10.0.0_r37android10-qpr3-s1-releaseandroid10-qpr3-release
Change-Id: I02dcb21a312f1f7a48c6b3ae25a923b1a5f7d9b8
| -rw-r--r-- | BufferedTextOutput.cpp | 4 | ||||
| -rw-r--r-- | Parcel.cpp | 11 |
2 files changed, 8 insertions, 7 deletions
diff --git a/BufferedTextOutput.cpp b/BufferedTextOutput.cpp index 3c7db8b..1b340a3 100644 --- a/BufferedTextOutput.cpp +++ b/BufferedTextOutput.cpp @@ -52,15 +52,15 @@ struct BufferedTextOutput::BufferState : public RefBase } status_t append(const char* txt, size_t len) { + if (len > SIZE_MAX - bufferPos) return NO_MEMORY; // overflow if ((len+bufferPos) > bufferSize) { + if ((len + bufferPos) > SIZE_MAX / 3) return NO_MEMORY; // overflow size_t newSize = ((len+bufferPos)*3)/2; - if (newSize < (len+bufferPos)) return NO_MEMORY; // overflow void* b = realloc(buffer, newSize); if (!b) return NO_MEMORY; buffer = (char*)b; bufferSize = newSize; } - if ((len+bufferPos) < bufferPos) return NO_MEMORY; // integer overflow memcpy(buffer+bufferPos, txt, len); bufferPos += len; return NO_ERROR; @@ -778,8 +778,10 @@ restart_write: if (err != NO_ERROR) return err; } if (!enoughObjects) { + if (mObjectsSize > SIZE_MAX - 2) return NO_MEMORY; // overflow + if (mObjectsSize + 2 > SIZE_MAX / 3) return NO_MEMORY; // overflow size_t newSize = ((mObjectsSize+2)*3)/2; - if (newSize * sizeof(binder_size_t) < mObjectsSize) return NO_MEMORY; // overflow + if (newSize > SIZE_MAX / sizeof(binder_size_t)) return NO_MEMORY; // overflow binder_size_t* objects = (binder_size_t*)realloc(mObjects, newSize*sizeof(binder_size_t)); if (objects == nullptr) return NO_MEMORY; mObjects = objects; @@ -1976,11 +1978,10 @@ status_t Parcel::growData(size_t len) // inadvertent conversion from a negative int. return BAD_VALUE; } - + if (len > SIZE_MAX - mDataSize) return NO_MEMORY; // overflow + if (mDataSize + len > SIZE_MAX / 3) return NO_MEMORY; // overflow size_t newSize = ((mDataSize+len)*3)/2; - return (newSize <= mDataSize) - ? (status_t) NO_MEMORY - : continueWrite(newSize); + return continueWrite(newSize); } status_t Parcel::restartWrite(size_t desired) |