diff options
author | Martijn Coenen <maco@google.com> | 2020-01-22 10:41:03 +0100 |
---|---|---|
committer | Martijn Coenen <maco@google.com> | 2020-01-23 09:45:44 +0100 |
commit | d79ac373483c36f893981c7319d37a5ebbd63b98 (patch) | |
tree | 9d8457219ed275936031e108045fe2020bea70ad /Parcel.cpp | |
parent | d027194efdbe7adceb69955ab2d4d23de7002bdb (diff) | |
download | libhwbinder-d79ac373483c36f893981c7319d37a5ebbd63b98.tar.gz |
Fix addition/overflow checks.
For unsigned arithmetic, use:
(a + b < a) to detect whether a+b wraps
(a > c / b) to detect whether a*b > c
Bug: 120078455
Test: builds and boots
Change-Id: I738b90855b6b9a8effbf55a468c751b6d0b8edd9
Diffstat (limited to 'Parcel.cpp')
-rw-r--r-- | Parcel.cpp | 11 |
1 files changed, 6 insertions, 5 deletions
@@ -677,8 +677,10 @@ restart_write: if (err != NO_ERROR) return err; } if (!enoughObjects) { + if (mObjectsSize > SIZE_MAX - 2) return NO_MEMORY; // overflow + if (mObjectsSize + 2 > SIZE_MAX / 3) return NO_MEMORY; // overflow size_t newSize = ((mObjectsSize+2)*3)/2; - if (newSize * sizeof(binder_size_t) < mObjectsSize) return NO_MEMORY; // overflow + if (newSize > SIZE_MAX / sizeof(binder_size_t)) return NO_MEMORY; // overflow binder_size_t* objects = (binder_size_t*)realloc(mObjects, newSize*sizeof(binder_size_t)); if (objects == nullptr) return NO_MEMORY; mObjects = objects; @@ -1719,11 +1721,10 @@ status_t Parcel::growData(size_t len) // inadvertent conversion from a negative int. return BAD_VALUE; } - + if (len > SIZE_MAX - mDataSize) return NO_MEMORY; // overflow + if (mDataSize + len > SIZE_MAX / 3) return NO_MEMORY; // overflow size_t newSize = ((mDataSize+len)*3)/2; - return (newSize <= mDataSize) - ? (status_t) NO_MEMORY - : continueWrite(newSize); + return continueWrite(newSize); } status_t Parcel::restartWrite(size_t desired) |