From ed7a50cc7d490ae7aece2d16422c5f7941876468 Mon Sep 17 00:00:00 2001
From: Christopher Tate <ctate@google.com>
Date: Mon, 8 Jun 2015 14:45:14 -0700
Subject: Prevent integer overflow when calculating buffer resizes

Make sure that we don't go haywire if an exponential buffer growth
operation winds up wrapping integer range.  Along the way, fix a
bookkeeping bug in BufferedTextOutput that would cause it to keep
spuriously realloc()ing on every append().

Bug 20674694

Change-Id: Ia845b7de36b90672a151a918ffc26c7da68e20a2
---
 libs/binder/BufferedTextOutput.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'libs/binder/BufferedTextOutput.cpp')

diff --git a/libs/binder/BufferedTextOutput.cpp b/libs/binder/BufferedTextOutput.cpp
index 2d493c1511..1339a67e62 100644
--- a/libs/binder/BufferedTextOutput.cpp
+++ b/libs/binder/BufferedTextOutput.cpp
@@ -49,9 +49,12 @@ struct BufferedTextOutput::BufferState : public RefBase
     
     status_t append(const char* txt, size_t len) {
         if ((len+bufferPos) > bufferSize) {
-            void* b = realloc(buffer, ((len+bufferPos)*3)/2);
+            size_t newSize = ((len+bufferPos)*3)/2;
+            if (newSize < (len+bufferPos)) return NO_MEMORY;    // overflow
+            void* b = realloc(buffer, newSize);
             if (!b) return NO_MEMORY;
             buffer = (char*)b;
+            bufferSize = newSize;
         }
         memcpy(buffer+bufferPos, txt, len);
         bufferPos += len;
-- 
cgit v1.2.3-59-g8ed1b