Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit aa6e1118 authored by Tri Vo's avatar Tri Vo
Browse files

libbinder: keep ashmem size >= 0 

Avoid integer overflow.

Bug: 123590642
Test: device boots
Change-Id: I9f25827842da00c4e69efca849c6a94721964007
parent f9a1f695

libs/binder/Parcel.cpp

+4 −1
Original line number Diff line number Diff line
@@ -181,7 +181,10 @@ static void release_object(const sp<ProcessState>& proc, 
                if ((outAshmemSize != nullptr) && ashmem_valid(obj.handle)) {

                    int size = ashmem_get_size_region(obj.handle);

                    if (size > 0) {

                        *outAshmemSize -= size;

                        // ashmem size might have changed since last time it was accounted for, e.g.

                        // in acquire_object(). Value of *outAshmemSize is not critical since we are

                        // releasing the object anyway. Check for integer overflow condition.

                        *outAshmemSize -= std::min(*outAshmemSize, static_cast<size_t>(size));

                    }

                }