Merge "Relax integer limits in argument handling of native Zygote loop" into main am: 7f97613f42 am: eb26374a4f

Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/3493952

Change-Id: I90360ea60e11c31ca72d847a45d77b86c44a99a7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

1 files changed, 13 insertions, 5 deletions

diff --git a/core/jni/com_android_internal_os_ZygoteCommandBuffer.cpp b/core/jni/com_android_internal_os_ZygoteCommandBuffer.cpp
index e0cc055a62a6..c4259f41e380 100644
--- a/core/jni/com_android_internal_os_ZygoteCommandBuffer.cpp
+++ b/core/jni/com_android_internal_os_ZygoteCommandBuffer.cpp
@@ -266,16 +266,24 @@ class NativeCommandBuffer {
   }
   // Picky version of atoi(). No sign or unexpected characters allowed. Return -1 on failure.
   static int digitsVal(char* start, char* end) {
+    constexpr int vmax = std::numeric_limits<int>::max();
     int result = 0;
-    if (end - start > 6) {
-      return -1;
-    }
     for (char* dp = start; dp < end; ++dp) {
       if (*dp < '0' || *dp > '9') {
-        ALOGW("Argument failed integer format check");
+        ALOGW("Argument contains non-integer characters");
+        return -1;
+      }
+      int digit = *dp - '0';
+      if (result > vmax / 10) {
+        ALOGW("Argument exceeds int limit");
+        return -1;
+      }
+      result *= 10;
+      if (result > vmax - digit) {
+        ALOGW("Argument exceeds int limit");
         return -1;
       }
-      result = 10 * result + (*dp - '0');
+      result += digit;
     }
     return result;
   }