summaryrefslogtreecommitdiff
path: root/Parcel.cpp
diff options
context:
space:
mode:
authorMartijn Coenen <maco@google.com>2020-03-27 08:26:39 +0000
committerAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>2020-03-27 08:26:39 +0000
commite40d66fc612808e2094a383f7d9f62ad53614f7a (patch)
tree0028f473b97e9a61c6aab2e8a7dc59334747278d /Parcel.cpp
parentd7c72377a9131e0e46e0f41c4c23ff2b8a70f906 (diff)
parentb022196fb65be10e5aee7bd3d5cc14ab50bb9eef (diff)
downloadlibhwbinder-e40d66fc612808e2094a383f7d9f62ad53614f7a.tar.gz
Fix addition/overflow checks. am: b022196fb6
Change-Id: I12be279d82d7806fb80bfe7d4ed24a12e24c2c07
Diffstat (limited to 'Parcel.cpp')
-rw-r--r--Parcel.cpp11
1 files changed, 6 insertions, 5 deletions
diff --git a/Parcel.cpp b/Parcel.cpp
index 3cd7c17..a7b7486 100644
--- a/Parcel.cpp
+++ b/Parcel.cpp
@@ -672,8 +672,10 @@ restart_write:
if (err != NO_ERROR) return err;
}
if (!enoughObjects) {
+ if (mObjectsSize > SIZE_MAX - 2) return NO_MEMORY; // overflow
+ if (mObjectsSize + 2 > SIZE_MAX / 3) return NO_MEMORY; // overflow
size_t newSize = ((mObjectsSize+2)*3)/2;
- if (newSize * sizeof(binder_size_t) < mObjectsSize) return NO_MEMORY; // overflow
+ if (newSize > SIZE_MAX / sizeof(binder_size_t)) return NO_MEMORY; // overflow
binder_size_t* objects = (binder_size_t*)realloc(mObjects, newSize*sizeof(binder_size_t));
if (objects == nullptr) return NO_MEMORY;
mObjects = objects;
@@ -1695,11 +1697,10 @@ status_t Parcel::growData(size_t len)
// inadvertent conversion from a negative int.
return BAD_VALUE;
}
-
+ if (len > SIZE_MAX - mDataSize) return NO_MEMORY; // overflow
+ if (mDataSize + len > SIZE_MAX / 3) return NO_MEMORY; // overflow
size_t newSize = ((mDataSize+len)*3)/2;
- return (newSize <= mDataSize)
- ? (status_t) NO_MEMORY
- : continueWrite(newSize);
+ return continueWrite(newSize);
}
status_t Parcel::restartWrite(size_t desired)