From eb4df8a82281ee9b2490eebc3c2eef8d669deb87 Mon Sep 17 00:00:00 2001 From: Siyamed Sinir Date: Fri, 3 Jun 2016 16:22:17 -0700 Subject: Fix int overflow in SpannableStringBuilder.replace During the offset calculation for selection, SpannableStringBuilder had an overflow while multiplying two int values. This CL uses long to calculate the multiplication, and also checks for overflow after casting the final result into int again. Bug: 29108549 Change-Id: I11eff4677916701074b38bc5214730fe704707c4 --- core/java/android/text/SpannableStringBuilder.java | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/core/java/android/text/SpannableStringBuilder.java b/core/java/android/text/SpannableStringBuilder.java index 787202eded02..dc8e4b93e093 100644 --- a/core/java/android/text/SpannableStringBuilder.java +++ b/core/java/android/text/SpannableStringBuilder.java @@ -19,7 +19,6 @@ package android.text; import android.annotation.Nullable; import android.graphics.Canvas; import android.graphics.Paint; -import android.text.style.ParagraphStyle; import android.util.Log; import com.android.internal.util.ArrayUtils; @@ -554,7 +553,8 @@ public class SpannableStringBuilder implements CharSequence, GetChars, Spannable if (adjustSelection) { boolean changed = false; if (selectionStart > start && selectionStart < end) { - final int offset = (selectionStart - start) * newLen / origLen; + final long diff = selectionStart - start; + final int offset = Math.toIntExact(diff * newLen / origLen); selectionStart = start + offset; changed = true; @@ -562,7 +562,8 @@ public class SpannableStringBuilder implements CharSequence, GetChars, Spannable Spanned.SPAN_POINT_POINT); } if (selectionEnd > start && selectionEnd < end) { - final int offset = (selectionEnd - start) * newLen / origLen; + final long diff = selectionEnd - start; + final int offset = Math.toIntExact(diff * newLen / origLen); selectionEnd = start + offset; changed = true; -- cgit v1.2.3-59-g8ed1b