From 7b9fb4924db8be8e33f1d41b53feb3d4e4966381 Mon Sep 17 00:00:00 2001
From: Sergio Giro <sgiro@google.com>
Date: Tue, 18 Aug 2015 17:36:50 +0100
Subject: libutils: fix overflow in SharedBuffer [DO NOT MERGE]

See
https://code.google.com/p/android/issues/detail?id=181910

Bug: 22952485
(cherry picked from commit 66b6eb9490beeeabc804d790c1c4060ce047afd4)

Change-Id: Ic71dd0025b9a7588c4f3bb1c7be1bd13d2ff5105

Conflicts:
	libpixelflinger/tinyutils/SharedBuffer.cpp
	libutils/Android.mk
---
 libpixelflinger/tinyutils/SharedBuffer.cpp | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/libpixelflinger/tinyutils/SharedBuffer.cpp b/libpixelflinger/tinyutils/SharedBuffer.cpp
index ef781a7..730c6d8 100644
--- a/libpixelflinger/tinyutils/SharedBuffer.cpp
+++ b/libpixelflinger/tinyutils/SharedBuffer.cpp
@@ -6,11 +6,15 @@
  *
  */
 
+#define __STDC_LIMIT_MACROS
+#include <stdint.h>
 #include <stdlib.h>
 #include <string.h>
 
 #include <cutils/atomic.h>
 
+#define LOG_TAG "SharedBuffer"
+#include <cutils/log.h>
 #include "tinyutils/SharedBuffer.h"
 
 // ---------------------------------------------------------------------------
@@ -19,6 +23,11 @@ namespace android {
 
 SharedBuffer* SharedBuffer::alloc(size_t size)
 {
+    // Don't overflow if the combined size of the buffer / header is larger than
+    // size_max.
+    LOG_ALWAYS_FATAL_IF((size >= (SIZE_MAX - sizeof(SharedBuffer))),
+                        "Invalid buffer size %zu", size);
+
     SharedBuffer* sb = static_cast<SharedBuffer *>(malloc(sizeof(SharedBuffer) + size));
     if (sb) {
         sb->mRefs = 1;
@@ -45,7 +54,7 @@ SharedBuffer* SharedBuffer::edit() const
         memcpy(sb->data(), data(), size());
         release();
     }
-    return sb;    
+    return sb;
 }
 
 SharedBuffer* SharedBuffer::editResize(size_t newSize) const
@@ -53,6 +62,11 @@ SharedBuffer* SharedBuffer::editResize(size_t newSize) const
     if (onlyOwner()) {
         SharedBuffer* buf = const_cast<SharedBuffer*>(this);
         if (buf->mSize == newSize) return buf;
+        // Don't overflow if the combined size of the new buffer / header is larger than
+        // size_max.
+        LOG_ALWAYS_FATAL_IF((newSize >= (SIZE_MAX - sizeof(SharedBuffer))),
+                            "Invalid buffer size %zu", newSize);
+
         buf = (SharedBuffer*)realloc(buf, sizeof(SharedBuffer) + newSize);
         if (buf != NULL) {
             buf->mSize = newSize;
-- 
cgit v1.1