Fix integer overflow in utf{16,32}_to_utf8_length am: f0a43dede9 am: 33abf90994

am: 789673b15c Change-Id: I352f33cf5a9a402a17f7a0f2c8739b54256392c2
author: Adam Vartanian <flooey@google.com> 2017-09-11 10:54:22 +0000
committer: android-build-merger <android-build-merger@google.com> 2017-09-11 10:54:22 +0000
commit: 1436927851220a761679f0d317618a235880a79e (patch)
tree: 354767505dfcf1164fb87ce77cb0648ac3d63c81 /libutils/Unicode.cpp
parent: 1bc2862ac5c8f70486d4911fa997804c656dbc39 (diff)
parent: 789673b15c936c3b67b2a75eff6b6e70951664cc (diff)
1 files changed, 21 insertions, 3 deletions
diff --git a/libutils/Unicode.cpp b/libutils/Unicode.cpp
index 2b5293e74..8ae9ef24d 100644
--- a/libutils/Unicode.cpp
+++ b/libutils/Unicode.cpp
@@ -18,6 +18,7 @@
 #include <utils/Unicode.h>
 
 #include <stddef.h>
+#include <limits.h>
 
 #ifdef HAVE_WINSOCK
 # undef  nhtol
@@ -178,7 +179,15 @@ ssize_t utf32_to_utf8_length(const char32_t *src, size_t src_len)
     size_t ret = 0;
     const char32_t *end = src + src_len;
     while (src < end) {
-        ret += utf32_codepoint_utf8_length(*src++);
+        size_t char_len = utf32_codepoint_utf8_length(*src++);
+        if (SSIZE_MAX - char_len < ret) {
+            // If this happens, we would overflow the ssize_t type when
+            // returning from this function, so we cannot express how
+            // long this string is in an ssize_t.
+            android_errorWriteLog(0x534e4554, "37723026");
+            return -1;
+        }
+        ret += char_len;
     }
     return ret;
 }
@@ -414,14 +423,23 @@ ssize_t utf16_to_utf8_length(const char16_t *src, size_t src_len)
     size_t ret = 0;
     const char16_t* const end = src + src_len;
     while (src < end) {
+        size_t char_len;
         if ((*src & 0xFC00) == 0xD800 && (src + 1) < end
                 && (*(src + 1) & 0xFC00) == 0xDC00) {
             // surrogate pairs are always 4 bytes.
-            ret += 4;
+            char_len = 4;
             src += 2;
         } else {
-            ret += utf32_codepoint_utf8_length((char32_t) *src++);
+            char_len = utf32_codepoint_utf8_length((char32_t)*src++);
+        }
+        if (SSIZE_MAX - char_len < ret) {
+            // If this happens, we would overflow the ssize_t type when
+            // returning from this function, so we cannot express how
+            // long this string is in an ssize_t.
+            android_errorWriteLog(0x534e4554, "37723026");
+            return -1;
         }
+        ret += char_len;
     }
     return ret;
 }
author	Adam Vartanian <flooey@google.com>	2017-09-11 10:54:22 +0000
committer	android-build-merger <android-build-merger@google.com>	2017-09-11 10:54:22 +0000
commit	1436927851220a761679f0d317618a235880a79e (patch)
tree	354767505dfcf1164fb87ce77cb0648ac3d63c81 /libutils/Unicode.cpp
parent	1bc2862ac5c8f70486d4911fa997804c656dbc39 (diff)
parent	789673b15c936c3b67b2a75eff6b6e70951664cc (diff)