VectorImpl.cpp: fix benign multiplication overflow

j is a ssize_t, which can go negative. If it goes negative, the resulting multiplication of mItemSize*j doesn't make any sense. Since the value is never used, just don't perform the calculation if j < 0. Bug: 23607865 Change-Id: I14f6f6506645d582f7d67a2e2d60ead3cb18b957
author: Nick Kralevich <nnk@google.com> 2015-08-28 06:40:23 -0700
committer: Nick Kralevich <nnk@google.com> 2015-08-28 06:40:23 -0700
commit: c76698f24e785a8984fa9d9d0bf8f81aa28746cc (patch)
tree: eab0b7bfc934e0fa93028a65a353cafa0834123c /libutils/VectorImpl.cpp
parent: f4355868cbce0713331bbb04b063515d6de4c795 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/libutils/VectorImpl.cpp b/libutils/VectorImpl.cpp
index bdb54b14a..2f770f590 100644
--- a/libutils/VectorImpl.cpp
+++ b/libutils/VectorImpl.cpp
@@ -198,7 +198,10 @@ status_t VectorImpl::sort(VectorImpl::compar_r_t cmp, void* state)
                     _do_copy(next, curr, 1);
                     next = curr;
                     --j;
-                    curr = reinterpret_cast<char*>(array) + mItemSize*(j);                    
+                    curr = NULL;
+                    if (j >= 0) {
+                        curr = reinterpret_cast<char*>(array) + mItemSize*(j);
+                    }
                 } while (j>=0 && (cmp(curr, temp, state) > 0));
 
                 _do_destroy(next, 1);
author	Nick Kralevich <nnk@google.com>	2015-08-28 06:40:23 -0700
committer	Nick Kralevich <nnk@google.com>	2015-08-28 06:40:23 -0700
commit	c76698f24e785a8984fa9d9d0bf8f81aa28746cc (patch)
tree	eab0b7bfc934e0fa93028a65a353cafa0834123c /libutils/VectorImpl.cpp
parent	f4355868cbce0713331bbb04b063515d6de4c795 (diff)