libutils: check vsnprintf errorandroid-9.0.0_r61

For encoding errors, this function will return a negative value which causes problems down the line. Check for an error and return. Also, integer overflows are guarded. Bug: 161894517 Test: fuzzer test case Change-Id: Ia85067d4258bde4b875c832d6223db5dd26b8838 Merged-In: Ia85067d4258bde4b875c832d6223db5dd26b8838 (cherry picked from commit ee22384c54d42149491c8b9dbcda0d8c5e88eddc)
author: Steven Moreland <smoreland@google.com> 2020-07-28 21:41:54 +0000
committer: Anis Assi <anisassi@google.com> 2020-08-13 09:15:43 -0700
commit: 3655b3122e299c619cc42b874077e4952fb5fb21 (patch)
tree: 06c634815dda0e9d8a3ba385302ecbfecf8c816d
parent: f67fc5c222f03a956ccc0748995ec470cd874f2e (diff)
download: core-3655b3122e299c619cc42b874077e4952fb5fb21.tar.gz
1 files changed, 7 insertions, 1 deletions
diff --git a/libutils/String8.cpp b/libutils/String8.cpp
index ad0e72ec1..8f9c9f723 100644
--- a/libutils/String8.cpp
+++ b/libutils/String8.cpp
@@ -346,8 +346,14 @@ status_t String8::appendFormatV(const char* fmt, va_list args)
     n = vsnprintf(NULL, 0, fmt, tmp_args);
     va_end(tmp_args);
 
-    if (n != 0) {
+    if (n < 0) return UNKNOWN_ERROR;
+
+    if (n > 0) {
         size_t oldLength = length();
+        if ((size_t)n > SIZE_MAX - 1 ||
+            oldLength > SIZE_MAX - (size_t)n - 1) {
+            return NO_MEMORY;
+        }
         char* buf = lockBuffer(oldLength + n);
         if (buf) {
             vsnprintf(buf + oldLength, n + 1, fmt, args);
author	Steven Moreland <smoreland@google.com>	2020-07-28 21:41:54 +0000
committer	Anis Assi <anisassi@google.com>	2020-08-13 09:15:43 -0700
commit	3655b3122e299c619cc42b874077e4952fb5fb21 (patch)
tree	06c634815dda0e9d8a3ba385302ecbfecf8c816d
parent	f67fc5c222f03a956ccc0748995ec470cd874f2e (diff)
download	core-3655b3122e299c619cc42b874077e4952fb5fb21.tar.gz