diff options
| author | 2016-12-05 21:23:36 +0000 | |
|---|---|---|
| committer | 2016-12-05 21:23:36 +0000 | |
| commit | 13c5c34e6ef3e44a18dd8b6c742bad5852486457 (patch) | |
| tree | 8f327ee596c72d9b7488778a22f57ea95881509c | |
| parent | 9d14ab54098a803f00c97bc2ab3ea1133203b3d8 (diff) | |
| parent | ed6937ae2c356c06743e059dca4b438727d28f41 (diff) | |
Correct overflow check in Parcel resize code am: 8b64307e95
am: ed6937ae2c
Change-Id: I9ea154fd1f2ca3a69f756066fb49efc99e889224
| -rw-r--r-- | libs/binder/Parcel.cpp | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp index ba7ccfc023..3100a58111 100644 --- a/libs/binder/Parcel.cpp +++ b/libs/binder/Parcel.cpp @@ -438,7 +438,8 @@ status_t Parcel::appendFrom(const Parcel *parcel, size_t offset, size_t len) if (numObjects > 0) { // grow objects if (mObjectsCapacity < mObjectsSize + numObjects) { - int newSize = ((mObjectsSize + numObjects)*3)/2; + size_t newSize = ((mObjectsSize + numObjects)*3)/2; + if (newSize*sizeof(binder_size_t) < mObjectsSize) return NO_MEMORY; // overflow binder_size_t *objects = (binder_size_t*)realloc(mObjects, newSize*sizeof(binder_size_t)); if (objects == (binder_size_t*)0) { @@ -941,6 +942,7 @@ restart_write: } if (!enoughObjects) { size_t newSize = ((mObjectsSize+2)*3)/2; + if (newSize*sizeof(binder_size_t) < mObjectsSize) return NO_MEMORY; // overflow binder_size_t* objects = (binder_size_t*)realloc(mObjects, newSize*sizeof(binder_size_t)); if (objects == NULL) return NO_MEMORY; mObjects = objects; |