commit 0289d3d81619567137d2133821375b3805154f92
author Karsten Tausche <karsten@fairphone.com> Mon Oct 05 16:06:58 2020 +0200
committer Karsten Tausche <karsten@fairphone.com> Thu Oct 08 13:44:53 2020 +0200
tree b2f109d1ee44ffbf112b8336c2fba692f203d5a8
parent f60e3c9acb259ab0b5d7bb462e04f1fd50ce7ccd
parent 3655b3122e299c619cc42b874077e4952fb5fb21

Merge the 2020-10-05 SPL branch from AOSP-Partner

* security-aosp-pi-release:
  libutils: check vsnprintf error
  String16::remove - avoid overflow

Change-Id: I356a5734ccac24b20f27e3f8577861884b69acda

libutils/String16.cpp

diff --git a/libutils/String16.cpp b/libutils/String16.cpp
index e8f1c51..7055fc6 100644
--- a/libutils/String16.cpp
+++ b/libutils/String16.cpp
@@ -402,7 +402,7 @@
         mString = getEmptyString();
         return NO_ERROR;
     }
-    if ((begin+len) > N) len = N-begin;
+    if (len > N || len > N - begin) len = N - begin;
     if (begin == 0 && len == N) {
         return NO_ERROR;
     }

libutils/String8.cpp

diff --git a/libutils/String8.cpp b/libutils/String8.cpp
index ad0e72e..8f9c9f7 100644
--- a/libutils/String8.cpp
+++ b/libutils/String8.cpp
@@ -346,8 +346,14 @@
     n = vsnprintf(NULL, 0, fmt, tmp_args);
     va_end(tmp_args);
 
-    if (n != 0) {
+    if (n < 0) return UNKNOWN_ERROR;
+
+    if (n > 0) {
         size_t oldLength = length();
+        if ((size_t)n > SIZE_MAX - 1 ||
+            oldLength > SIZE_MAX - (size_t)n - 1) {
+            return NO_MEMORY;
+        }
         char* buf = lockBuffer(oldLength + n);
         if (buf) {
             vsnprintf(buf + oldLength, n + 1, fmt, args);