diff options
-rw-r--r-- | BufferedTextOutput.cpp | 4 | ||||
-rw-r--r-- | Parcel.cpp | 11 |
2 files changed, 8 insertions, 7 deletions
diff --git a/BufferedTextOutput.cpp b/BufferedTextOutput.cpp index 0a0f4d6..5addba4 100644 --- a/BufferedTextOutput.cpp +++ b/BufferedTextOutput.cpp @@ -52,15 +52,15 @@ struct BufferedTextOutput::BufferState : public RefBase } status_t append(const char* txt, size_t len) { + if (len > SIZE_MAX - bufferPos) return NO_MEMORY; // overflow if ((len+bufferPos) > bufferSize) { + if ((len + bufferPos) > SIZE_MAX / 3) return NO_MEMORY; // overflow size_t newSize = ((len+bufferPos)*3)/2; - if (newSize < (len+bufferPos)) return NO_MEMORY; // overflow void* b = realloc(buffer, newSize); if (!b) return NO_MEMORY; buffer = (char*)b; bufferSize = newSize; } - if ((len+bufferPos) < bufferPos) return NO_MEMORY; // integer overflow memcpy(buffer+bufferPos, txt, len); bufferPos += len; return NO_ERROR; @@ -672,8 +672,10 @@ restart_write: if (err != NO_ERROR) return err; } if (!enoughObjects) { + if (mObjectsSize > SIZE_MAX - 2) return NO_MEMORY; // overflow + if (mObjectsSize + 2 > SIZE_MAX / 3) return NO_MEMORY; // overflow size_t newSize = ((mObjectsSize+2)*3)/2; - if (newSize * sizeof(binder_size_t) < mObjectsSize) return NO_MEMORY; // overflow + if (newSize > SIZE_MAX / sizeof(binder_size_t)) return NO_MEMORY; // overflow binder_size_t* objects = (binder_size_t*)realloc(mObjects, newSize*sizeof(binder_size_t)); if (objects == nullptr) return NO_MEMORY; mObjects = objects; @@ -1695,11 +1697,10 @@ status_t Parcel::growData(size_t len) // inadvertent conversion from a negative int. return BAD_VALUE; } - + if (len > SIZE_MAX - mDataSize) return NO_MEMORY; // overflow + if (mDataSize + len > SIZE_MAX / 3) return NO_MEMORY; // overflow size_t newSize = ((mDataSize+len)*3)/2; - return (newSize <= mDataSize) - ? (status_t) NO_MEMORY - : continueWrite(newSize); + return continueWrite(newSize); } status_t Parcel::restartWrite(size_t desired) |