Fix addition/overflow checks. am: b022196fb6

Change-Id: I12be279d82d7806fb80bfe7d4ed24a12e24c2c07

1 files changed, 6 insertions, 5 deletions

diff --git a/Parcel.cpp b/Parcel.cpp
index 3cd7c17..a7b7486 100644
--- a/Parcel.cpp
+++ b/Parcel.cpp
@@ -672,8 +672,10 @@ restart_write:
         if (err != NO_ERROR) return err;
     }
     if (!enoughObjects) {
+        if (mObjectsSize > SIZE_MAX - 2) return NO_MEMORY; // overflow
+        if (mObjectsSize + 2 > SIZE_MAX / 3) return NO_MEMORY; // overflow
         size_t newSize = ((mObjectsSize+2)*3)/2;
-        if (newSize * sizeof(binder_size_t) < mObjectsSize) return NO_MEMORY;   // overflow
+        if (newSize > SIZE_MAX / sizeof(binder_size_t)) return NO_MEMORY; // overflow
         binder_size_t* objects = (binder_size_t*)realloc(mObjects, newSize*sizeof(binder_size_t));
         if (objects == nullptr) return NO_MEMORY;
         mObjects = objects;
@@ -1695,11 +1697,10 @@ status_t Parcel::growData(size_t len)
         // inadvertent conversion from a negative int.
         return BAD_VALUE;
     }
-
+    if (len > SIZE_MAX - mDataSize) return NO_MEMORY; // overflow
+    if (mDataSize + len > SIZE_MAX / 3) return NO_MEMORY; // overflow
     size_t newSize = ((mDataSize+len)*3)/2;
-    return (newSize <= mDataSize)
-            ? (status_t) NO_MEMORY
-            : continueWrite(newSize);
+    return continueWrite(newSize);
 }
 
 status_t Parcel::restartWrite(size_t desired)