Fix a not properly handled pointer comparison that caused UB am: 7f5c6593f2 am: 6ae350fa22 am: f42b1b66ca

am: 4a2de986df Change-Id: Ieb1df247934f1fda866420beab85c9dc3475c6a7
author: Jinguang Dong <dongjinguang@huawei.com> 2017-04-05 22:36:55 +0000
committer: android-build-merger <android-build-merger@google.com> 2017-04-05 22:36:55 +0000
commit: c6f1cf901e3137da8c2d85132dd6122a514264c1 (patch)
tree: 1180eb05576910c90445aea4b099bf3ed404414e
parent: f73a010f4f2c6f2b7888e0f6501d2a5044154337 (diff)
parent: 4a2de986dfaff72bca01ab206f1a1a2afc1278b2 (diff)
download: gatekeeper-c6f1cf901e3137da8c2d85132dd6122a514264c1.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/gatekeeper_messages.cpp b/gatekeeper_messages.cpp
index fc76d5e..41972bb 100644
--- a/gatekeeper_messages.cpp
+++ b/gatekeeper_messages.cpp
@@ -52,8 +52,8 @@ static inline gatekeeper_error_t read_from_buffer(const uint8_t **buffer, const
     memcpy(&target->length, *buffer, sizeof(target->length));
     *buffer += sizeof(target->length);
     if (target->length != 0) {
-        const uint8_t *buffer_end = *buffer + target->length;
-        if (buffer_end > end || buffer_end <= *buffer) return ERROR_INVALID;
+        const size_t buffer_size = end - *buffer;
+        if (buffer_size < target->length) return ERROR_INVALID;
 
         target->buffer.reset(new uint8_t[target->length]);
         memcpy(target->buffer.get(), *buffer, target->length);
author	Jinguang Dong <dongjinguang@huawei.com>	2017-04-05 22:36:55 +0000
committer	android-build-merger <android-build-merger@google.com>	2017-04-05 22:36:55 +0000
commit	c6f1cf901e3137da8c2d85132dd6122a514264c1 (patch)
tree	1180eb05576910c90445aea4b099bf3ed404414e
parent	f73a010f4f2c6f2b7888e0f6501d2a5044154337 (diff)
parent	4a2de986dfaff72bca01ab206f1a1a2afc1278b2 (diff)
download	gatekeeper-c6f1cf901e3137da8c2d85132dd6122a514264c1.tar.gz