Fix potential overflow in MessageQueue am: e22d925e42
am: 2e1e6c2239
Change-Id: I862a8fe18577fe90e0443c822f363ee004bddd43
diff --git a/include/fmq/MessageQueue.h b/include/fmq/MessageQueue.h
index b8a4c2f..6f315b2 100644
--- a/include/fmq/MessageQueue.h
+++ b/include/fmq/MessageQueue.h
@@ -628,6 +628,11 @@
template <typename T, MQFlavor flavor>
MessageQueue<T, flavor>::MessageQueue(size_t numElementsInQueue, bool configureEventFlagWord) {
+
+ // Check if the buffer size would not overflow size_t
+ if (numElementsInQueue > SIZE_MAX / sizeof(T)) {
+ return;
+ }
/*
* The FMQ needs to allocate memory for the ringbuffer as well as for the
* read and write pointer counters. If an EventFlag word is to be configured,
diff --git a/tests/mq_test.cpp b/tests/mq_test.cpp
index 2f03904..96528d3 100644
--- a/tests/mq_test.cpp
+++ b/tests/mq_test.cpp
@@ -95,7 +95,7 @@
};
class QueueSizeOdd : public ::testing::Test {
- protected:
+protected:
virtual void TearDown() {
delete mQueue;
}
@@ -119,6 +119,9 @@
size_t mNumMessagesMax = 0;
};
+class BadQueueConfig: public ::testing::Test {
+};
+
/*
* Utility function to initialize data to be written to the FMQ
*/
@@ -189,6 +192,19 @@
ASSERT_EQ(android::NO_ERROR, status);
}
+
+TEST_F(BadQueueConfig, QueueSizeTooLarge) {
+ typedef android::hardware::MessageQueue<uint16_t, android::hardware::kSynchronizedReadWrite>
+ MessageQueueSync16;
+ size_t numElementsInQueue = SIZE_MAX / sizeof(uint16_t) + 1;
+ MessageQueueSync16 * fmq = new (std::nothrow) MessageQueueSync16(numElementsInQueue);
+ ASSERT_NE(nullptr, fmq);
+ /*
+ * Should fail due to size being too large to fit into size_t.
+ */
+ ASSERT_FALSE(fmq->isValid());
+}
+
/*
* Test that basic blocking works. This test uses the non-blocking read()/write()
* APIs.