Fix addition/overflow checks.

For unsigned arithmetic, use:

(a + b < a) to detect whether a+b wraps
(a > c / b) to detect whether a*b > c

Bug: 120078455
Test: builds and boots
Change-Id: I738b90855b6b9a8effbf55a468c751b6d0b8edd9

1 files changed, 6 insertions, 5 deletions

diff --git a/Parcel.cpp b/Parcel.cpp
index e5f2032..f1d6dbd 100644
--- a/Parcel.cpp
+++ b/Parcel.cpp
@@ -677,8 +677,10 @@ restart_write:
         if (err != NO_ERROR) return err;
     }
     if (!enoughObjects) {
+        if (mObjectsSize > SIZE_MAX - 2) return NO_MEMORY; // overflow
+        if (mObjectsSize + 2 > SIZE_MAX / 3) return NO_MEMORY; // overflow
         size_t newSize = ((mObjectsSize+2)*3)/2;
-        if (newSize * sizeof(binder_size_t) < mObjectsSize) return NO_MEMORY;   // overflow
+        if (newSize > SIZE_MAX / sizeof(binder_size_t)) return NO_MEMORY; // overflow
         binder_size_t* objects = (binder_size_t*)realloc(mObjects, newSize*sizeof(binder_size_t));
         if (objects == nullptr) return NO_MEMORY;
         mObjects = objects;
@@ -1719,11 +1721,10 @@ status_t Parcel::growData(size_t len)
         // inadvertent conversion from a negative int.
         return BAD_VALUE;
     }
-
+    if (len > SIZE_MAX - mDataSize) return NO_MEMORY; // overflow
+    if (mDataSize + len > SIZE_MAX / 3) return NO_MEMORY; // overflow
     size_t newSize = ((mDataSize+len)*3)/2;
-    return (newSize <= mDataSize)
-            ? (status_t) NO_MEMORY
-            : continueWrite(newSize);
+    return continueWrite(newSize);
 }
 
 status_t Parcel::restartWrite(size_t desired)