Treat larger than jint capacity in NewDirectByteBuffer as an error
Bug: 15854028
Change-Id: If78921f4ba2b38a9d0bb421acf9c8bca962ed42a
diff --git a/runtime/jni_internal.cc b/runtime/jni_internal.cc
index 513b409..2fadfb0 100644
--- a/runtime/jni_internal.cc
+++ b/runtime/jni_internal.cc
@@ -2447,13 +2447,18 @@
static jobject NewDirectByteBuffer(JNIEnv* env, void* address, jlong capacity) {
if (capacity < 0) {
JniAbortF("NewDirectByteBuffer", "negative buffer capacity: %" PRId64, capacity);
+ return nullptr;
}
if (address == nullptr && capacity != 0) {
JniAbortF("NewDirectByteBuffer", "non-zero capacity for nullptr pointer: %" PRId64, capacity);
+ return nullptr;
}
- // At the moment, the capacity is limited to 32 bits.
- CHECK_LE(capacity, 0xffffffff);
+ // At the moment, the capacity is limited to a jint (31 bits).
+ if (capacity > INT_MAX) {
+ JniAbortF("NewDirectByteBuffer", "buffer capacity greater than maximum jint: %" PRId64, capacity);
+ return nullptr;
+ }
jlong address_arg = reinterpret_cast<jlong>(address);
jint capacity_arg = static_cast<jint>(capacity);