Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ed7a50cc authored Jun 08, 2015 by Christopher Tate

Prevent integer overflow when calculating buffer resizes

Make sure that we don't go haywire if an exponential buffer growth
operation winds up wrapping integer range.  Along the way, fix a
bookkeeping bug in BufferedTextOutput that would cause it to keep
spuriously realloc()ing on every append().

Bug 20674694

Change-Id: Ia845b7de36b90672a151a918ffc26c7da68e20a2

parent 98e67d35

libs/binder/BufferedTextOutput.cpp

+4 −1

Original line number	Diff line number	Diff line
		@@ -49,9 +49,12 @@ struct BufferedTextOutput::BufferState : public RefBase

		status_t append(const char* txt, size_t len) {
		if ((len+bufferPos) > bufferSize) {
		void* b = realloc(buffer, ((len+bufferPos)*3)/2);
		size_t newSize = ((len+bufferPos)*3)/2;
		if (newSize < (len+bufferPos)) return NO_MEMORY; // overflow
		void* b = realloc(buffer, newSize);
		if (!b) return NO_MEMORY;
		buffer = (char*)b;
		bufferSize = newSize;
		}
		memcpy(buffer+bufferPos, txt, len);
		bufferPos += len;

libs/binder/Parcel.cpp

+3 −1

Original line number	Diff line number	Diff line
		@@ -484,7 +484,8 @@ status_t Parcel::appendFrom(const Parcel *parcel, size_t offset, size_t len)
		if (numObjects > 0) {
		// grow objects
		if (mObjectsCapacity < mObjectsSize + numObjects) {
		int newSize = ((mObjectsSize + numObjects)*3)/2;
		size_t newSize = ((mObjectsSize + numObjects)*3)/2;
		if (newSize < mObjectsSize) return NO_MEMORY; // overflow
		binder_size_t *objects =
		(binder_size_t)realloc(mObjects, newSizesizeof(binder_size_t));
		if (objects == (binder_size_t*)0) {
		@@ -1038,6 +1039,7 @@ restart_write:
		}
		if (!enoughObjects) {
		size_t newSize = ((mObjectsSize+2)*3)/2;
		if (newSize < mObjectsSize) return NO_MEMORY; // overflow
		binder_size_t* objects = (binder_size_t)realloc(mObjects, newSizesizeof(binder_size_t));
		if (objects == NULL) return NO_MEMORY;
		mObjects = objects;