agm: check for boundary size
The calculation of payloadSize might be a negative
value, which gets assigned to the unsigned 32-bit
int type variable payloadSize.
Change-Id: I0d3d5bae385738f35303fe2a3af676cafb38c8c0
diff --git a/service/src/graph.c b/service/src/graph.c
index 0e79b8c..fe2f228 100644
--- a/service/src/graph.c
+++ b/service/src/graph.c
@@ -1186,7 +1186,7 @@
size_t size = 0;
struct gsl_tag_module_info *tag_info;
struct gsl_tag_module_info_entry *tag_entry;
- uint32_t offset = 0;
+ uint32_t offset = 0, temp_sum = 0;
uint32_t total_parsed_size = 0;
uint8_t tag_pool[TAGGED_MOD_SIZE_BYTES] = { 0 };
@@ -1268,9 +1268,10 @@
payloadACDBTunnelInfo->num_gkvs * sizeof(struct agm_key_value);
AGM_LOGD("blob size = %d", payloadACDBTunnelInfo->blob_size);
- actual_size = payloadACDBTunnelInfo->blob_size -
- (payloadACDBTunnelInfo->num_gkvs + payloadACDBTunnelInfo->num_kvs) *
- sizeof(struct agm_key_value);
+ __builtin_add_overflow(payloadACDBTunnelInfo->num_gkvs * sizeof(struct agm_key_value),
+ payloadACDBTunnelInfo->num_kvs * sizeof(struct agm_key_value),
+ &temp_sum);
+ __builtin_sub_overflow(payloadACDBTunnelInfo->blob_size, temp_sum, &actual_size);
AGM_LOGD("actual size = 0x%x", actual_size);
AGM_LOGI("num kvs = %d", kv.num_kvs);
ptr = kv.kv;