commit bc373795288a3c40828e7ad421a9d17fbbed8633
author Devin Moore <devinmoore@google.com> Thu Sep 17 09:45:46 2020 -0700
committer Devin Moore <devinmoore@google.com> Mon Sep 21 16:11:32 2020 +0000
tree b69d716133ae6696a61c7dcca5780dcf57b8a87d
parent 1fd40783df716ff6b5aa75ccd0ccf2fba4488e7b

Prevent shift with negative operands

Shifts with negative operands are undefined behavior

Test: aidl_parser_fuzzer negative_left_shift && atest aidl_unittests
aidl_integration_test
Bug: 168792643

Change-Id: Ifba0e3bcdaa25adc463c35f916ef5e9051bf82f8

aidl_const_expressions.cpp

diff --git a/aidl_const_expressions.cpp b/aidl_const_expressions.cpp
index 48980f5..a3f45bc 100644
--- a/aidl_const_expressions.cpp
+++ b/aidl_const_expressions.cpp
@@ -101,14 +101,14 @@
   T operator==(T o) { return mValue == o; }
   T operator!=(T o) { return mValue != o; }
   T operator>>(T o) {
-    if (o < 0 || o > static_cast<T>(sizeof(T) * 8)) {
+    if (o < 0 || o > static_cast<T>(sizeof(T) * 8) || mValue < 0) {
       mOverflowed = true;
       return 0;
     }
     return mValue >> o;
   }
   T operator<<(T o) {
-    if (o < 0 || o > static_cast<T>(sizeof(T) * 8)) {
+    if (o < 0 || o > static_cast<T>(sizeof(T) * 8) || mValue < 0) {
       mOverflowed = true;
       return 0;
     }