Prevent integer overflow when calculating buffer resizes

Make sure that we don't go haywire if an exponential buffer growth operation winds up wrapping integer range. Along the way, fix a bookkeeping bug in BufferedTextOutput that would cause it to keep spuriously realloc()ing on every append(). Bug 20674694 Change-Id: Ia845b7de36b90672a151a918ffc26c7da68e20a2
author: Christopher Tate <ctate@google.com> 2015-06-08 14:45:14 -0700
committer: Christopher Tate <ctate@google.com> 2015-06-08 14:49:09 -0700
commit: ed7a50cc7d490ae7aece2d16422c5f7941876468 (patch)
tree: a8c6d660d656e0d5a79cb2ed20f859b8a86e1426 /libs/binder/BufferedTextOutput.cpp
parent: 98e67d352b8805a868ca0e7c2be3ea830fb7c338 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/libs/binder/BufferedTextOutput.cpp b/libs/binder/BufferedTextOutput.cpp
index 2d493c1511..1339a67e62 100644
--- a/libs/binder/BufferedTextOutput.cpp
+++ b/libs/binder/BufferedTextOutput.cpp
@@ -49,9 +49,12 @@ struct BufferedTextOutput::BufferState : public RefBase
     
     status_t append(const char* txt, size_t len) {
         if ((len+bufferPos) > bufferSize) {
-            void* b = realloc(buffer, ((len+bufferPos)*3)/2);
+            size_t newSize = ((len+bufferPos)*3)/2;
+            if (newSize < (len+bufferPos)) return NO_MEMORY;    // overflow
+            void* b = realloc(buffer, newSize);
             if (!b) return NO_MEMORY;
             buffer = (char*)b;
+            bufferSize = newSize;
         }
         memcpy(buffer+bufferPos, txt, len);
         bufferPos += len;
author	Christopher Tate <ctate@google.com>	2015-06-08 14:45:14 -0700
committer	Christopher Tate <ctate@google.com>	2015-06-08 14:49:09 -0700
commit	ed7a50cc7d490ae7aece2d16422c5f7941876468 (patch)
tree	a8c6d660d656e0d5a79cb2ed20f859b8a86e1426 /libs/binder/BufferedTextOutput.cpp
parent	98e67d352b8805a868ca0e7c2be3ea830fb7c338 (diff)