From c76698f24e785a8984fa9d9d0bf8f81aa28746cc Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 28 Aug 2015 06:40:23 -0700
Subject: VectorImpl.cpp: fix benign multiplication overflow

j is a ssize_t, which can go negative. If it goes negative,
the resulting multiplication of mItemSize*j doesn't make
any sense. Since the value is never used, just don't perform
the calculation if j < 0.

Bug: 23607865
Change-Id: I14f6f6506645d582f7d67a2e2d60ead3cb18b957
---
 libutils/VectorImpl.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'libutils/VectorImpl.cpp')

diff --git a/libutils/VectorImpl.cpp b/libutils/VectorImpl.cpp
index bdb54b14a..2f770f590 100644
--- a/libutils/VectorImpl.cpp
+++ b/libutils/VectorImpl.cpp
@@ -198,7 +198,10 @@ status_t VectorImpl::sort(VectorImpl::compar_r_t cmp, void* state)
                     _do_copy(next, curr, 1);
                     next = curr;
                     --j;
-                    curr = reinterpret_cast<char*>(array) + mItemSize*(j);                    
+                    curr = NULL;
+                    if (j >= 0) {
+                        curr = reinterpret_cast<char*>(array) + mItemSize*(j);
+                    }
                 } while (j>=0 && (cmp(curr, temp, state) > 0));
 
                 _do_destroy(next, 1);
-- 
cgit v1.2.3