diff options
| author | android-build-team Robot <android-build-team-robot@google.com> | 2020-10-21 18:09:34 +0000 |
|---|---|---|
| committer | android-build-team Robot <android-build-team-robot@google.com> | 2020-10-21 18:09:34 +0000 |
| commit | 591e683c210cdc2866d487137cd2c2278802ff77 (patch) | |
| tree | c443e46e75dd5b3deaf225410c8ac3e2b506611b | |
| parent | 9b8a586b6bd07cb3e5bbb780282e7a604df59643 (diff) | |
| parent | 3c751b9f66ee163c628918f1508eea3bf6015185 (diff) | |
| download | core-591e683c210cdc2866d487137cd2c2278802ff77.tar.gz | |
Snap for 6921388 from 3c751b9f66ee163c628918f1508eea3bf6015185 to qt-aml-tzdata-release
Change-Id: I5c9b35fe8ca1cd4bd34db5880a0f612ec138372c
| -rw-r--r-- | libutils/FileMap.cpp | 6 | ||||
| -rw-r--r-- | libutils/FileMap_test.cpp | 13 | ||||
| -rw-r--r-- | libutils/String16.cpp | 2 | ||||
| -rw-r--r-- | libutils/String8.cpp | 8 |
4 files changed, 26 insertions, 3 deletions
diff --git a/libutils/FileMap.cpp b/libutils/FileMap.cpp index 1202c156d..c8286311f 100644 --- a/libutils/FileMap.cpp +++ b/libutils/FileMap.cpp @@ -189,7 +189,11 @@ bool FileMap::create(const char* origFileName, int fd, off64_t offset, size_t le int adjust = offset % mPageSize; off64_t adjOffset = offset - adjust; - size_t adjLength = length + adjust; + size_t adjLength; + if (__builtin_add_overflow(length, adjust, &adjLength)) { + ALOGE("adjusted length overflow: length %zu adjust %d", length, adjust); + return false; + } int flags = MAP_SHARED; int prot = PROT_READ; diff --git a/libutils/FileMap_test.cpp b/libutils/FileMap_test.cpp index 576d89bbe..096e27a56 100644 --- a/libutils/FileMap_test.cpp +++ b/libutils/FileMap_test.cpp @@ -32,3 +32,16 @@ TEST(FileMap, zero_length_mapping) { ASSERT_EQ(0u, m.getDataLength()); ASSERT_EQ(4096, m.getDataOffset()); } + +TEST(FileMap, offset_overflow) { + // Make sure that an end that overflows SIZE_MAX will not abort. + // See http://b/156997193. + TemporaryFile tf; + ASSERT_TRUE(tf.fd != -1); + + off64_t offset = 200; + size_t length = SIZE_MAX; + + android::FileMap m; + ASSERT_FALSE(m.create("test", tf.fd, offset, length, true)); +} diff --git a/libutils/String16.cpp b/libutils/String16.cpp index 818b17124..caab1bd99 100644 --- a/libutils/String16.cpp +++ b/libutils/String16.cpp @@ -389,7 +389,7 @@ status_t String16::remove(size_t len, size_t begin) mString = getEmptyString(); return OK; } - if ((begin+len) > N) len = N-begin; + if (len > N || len > N - begin) len = N - begin; if (begin == 0 && len == N) { return OK; } diff --git a/libutils/String8.cpp b/libutils/String8.cpp index 0025c5648..81ec598c3 100644 --- a/libutils/String8.cpp +++ b/libutils/String8.cpp @@ -322,8 +322,14 @@ status_t String8::appendFormatV(const char* fmt, va_list args) n = vsnprintf(nullptr, 0, fmt, tmp_args); va_end(tmp_args); - if (n != 0) { + if (n < 0) return UNKNOWN_ERROR; + + if (n > 0) { size_t oldLength = length(); + if ((size_t)n > SIZE_MAX - 1 || + oldLength > SIZE_MAX - (size_t)n - 1) { + return NO_MEMORY; + } char* buf = lockBuffer(oldLength + n); if (buf) { vsnprintf(buf + oldLength, n + 1, fmt, args); |