From 0f0cb957b26b72c618f0e86846e616cc47a86cc6 Mon Sep 17 00:00:00 2001
From: Steven Moreland <smoreland@google.com>
Date: Tue, 28 Jul 2020 21:41:54 +0000
Subject: libutils: check vsnprintf error

For encoding errors, this function will return a negative value which
causes problems down the line. Check for an error and return. Also,
integer overflows are guarded.

Bug: 161894517
Test: fuzzer test case
Change-Id: Ia85067d4258bde4b875c832d6223db5dd26b8838
---
 libutils/String8.cpp | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'libutils/String8.cpp')

diff --git a/libutils/String8.cpp b/libutils/String8.cpp
index c83789145..438ef83a9 100644
--- a/libutils/String8.cpp
+++ b/libutils/String8.cpp
@@ -309,8 +309,14 @@ status_t String8::appendFormatV(const char* fmt, va_list args)
     n = vsnprintf(nullptr, 0, fmt, tmp_args);
     va_end(tmp_args);
 
-    if (n != 0) {
+    if (n < 0) return UNKNOWN_ERROR;
+
+    if (n > 0) {
         size_t oldLength = length();
+        if (n > std::numeric_limits<size_t>::max() - 1 ||
+            oldLength > std::numeric_limits<size_t>::max() - n - 1) {
+            return NO_MEMORY;
+        }
         char* buf = lockBuffer(oldLength + n);
         if (buf) {
             vsnprintf(buf + oldLength, n + 1, fmt, args);
-- 
cgit v1.2.3