Merge the 2020-10-05 SPL branch from AOSP-Partner
* security-aosp-pi-release:
libutils: check vsnprintf error
String16::remove - avoid overflow
Change-Id: I356a5734ccac24b20f27e3f8577861884b69acda
diff --git a/libutils/String16.cpp b/libutils/String16.cpp
index e8f1c51..7055fc6 100644
--- a/libutils/String16.cpp
+++ b/libutils/String16.cpp
@@ -402,7 +402,7 @@
mString = getEmptyString();
return NO_ERROR;
}
- if ((begin+len) > N) len = N-begin;
+ if (len > N || len > N - begin) len = N - begin;
if (begin == 0 && len == N) {
return NO_ERROR;
}
diff --git a/libutils/String8.cpp b/libutils/String8.cpp
index ad0e72e..8f9c9f7 100644
--- a/libutils/String8.cpp
+++ b/libutils/String8.cpp
@@ -346,8 +346,14 @@
n = vsnprintf(NULL, 0, fmt, tmp_args);
va_end(tmp_args);
- if (n != 0) {
+ if (n < 0) return UNKNOWN_ERROR;
+
+ if (n > 0) {
size_t oldLength = length();
+ if ((size_t)n > SIZE_MAX - 1 ||
+ oldLength > SIZE_MAX - (size_t)n - 1) {
+ return NO_MEMORY;
+ }
char* buf = lockBuffer(oldLength + n);
if (buf) {
vsnprintf(buf + oldLength, n + 1, fmt, args);