Commit 9ef855d0 authored Jan 08, 2018 by Ivan Lozano

Fix overflow sanitizer in copyWithAuthor.

The array index calculation in NBLog.cpp causes a runtime error on
integer overflow sanitized builds. Although kPreviousLengthOffset is now
ssize_t, sizeof() returns size_t, which is causing kPreviousLengthOffset
to be implicitly cast to size_t, resulting in the overflow.

 runtime error: unsigned integer overflow: 27 + 4294967295 cannot be
 represented in type 'unsigned int'

This restructures the buffer index to avoid the overflow all together.

Bug: 30969751
Test: Compiles, device boots.
Change-Id: I9abb858190ecdeeaede66cf502ceb586467d5c0c

parent 61aaab80

media/libnblog/NBLog.cpp

+2 −1

Original line number	Diff line number	Diff line
		@@ -259,7 +259,8 @@ NBLog::EntryIterator NBLog::HistogramEntry::copyWithAuthor(
		(int) (buffer + sizeof(entry) + sizeof(HistTsEntry)) = author;
		// Update lengths
		buffer[offsetof(entry, length)] = sizeof(HistTsEntryWithAuthor);
		buffer[sizeof(buffer) + Entry::kPreviousLengthOffset] = sizeof(HistTsEntryWithAuthor);
		buffer[offsetof(entry, data) + sizeof(HistTsEntryWithAuthor) + offsetof(ending, length)]
		= sizeof(HistTsEntryWithAuthor);
		// Write new buffer into FIFO
		dst->write(buffer, sizeof(buffer));
		return EntryIterator(mEntry).next();