diff options
author | Steven Moreland <smoreland@google.com> | 2020-07-28 21:41:54 +0000 |
---|---|---|
committer | Anis Assi <anisassi@google.com> | 2020-08-13 09:15:43 -0700 |
commit | 3655b3122e299c619cc42b874077e4952fb5fb21 (patch) | |
tree | 06c634815dda0e9d8a3ba385302ecbfecf8c816d | |
parent | f67fc5c222f03a956ccc0748995ec470cd874f2e (diff) | |
download | core-3655b3122e299c619cc42b874077e4952fb5fb21.tar.gz |
libutils: check vsnprintf errorandroid-9.0.0_r61
For encoding errors, this function will return a negative value which
causes problems down the line. Check for an error and return. Also,
integer overflows are guarded.
Bug: 161894517
Test: fuzzer test case
Change-Id: Ia85067d4258bde4b875c832d6223db5dd26b8838
Merged-In: Ia85067d4258bde4b875c832d6223db5dd26b8838
(cherry picked from commit ee22384c54d42149491c8b9dbcda0d8c5e88eddc)
-rw-r--r-- | libutils/String8.cpp | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/libutils/String8.cpp b/libutils/String8.cpp index ad0e72ec1..8f9c9f723 100644 --- a/libutils/String8.cpp +++ b/libutils/String8.cpp @@ -346,8 +346,14 @@ status_t String8::appendFormatV(const char* fmt, va_list args) n = vsnprintf(NULL, 0, fmt, tmp_args); va_end(tmp_args); - if (n != 0) { + if (n < 0) return UNKNOWN_ERROR; + + if (n > 0) { size_t oldLength = length(); + if ((size_t)n > SIZE_MAX - 1 || + oldLength > SIZE_MAX - (size_t)n - 1) { + return NO_MEMORY; + } char* buf = lockBuffer(oldLength + n); if (buf) { vsnprintf(buf + oldLength, n + 1, fmt, args); |