From a5f2e4d421fa50c5e7fe3f7dc4a98e1e97ddfc74 Mon Sep 17 00:00:00 2001 From: Elliott Hughes Date: Wed, 27 Apr 2022 13:59:49 -0700 Subject: [PATCH] libutils: clearer abort on overflow. Let's turn a bug into a feature... Since this code is built with intsan, anyone who caused overflow here will have had an abort, so we know no-one actually needs the BAD_INDEX return that was presumably the original author's intent. So let's just mandate that, since it's a lot harder to ignore an abort than it is to ignore an error return. Bug: http://b/179044558 Test: treehugger Change-Id: I08f1018f9da1e09de885699138b7543d55bb2a36 --- libutils/VectorImpl.cpp | 14 ++++++-------- libutils/Vector_test.cpp | 9 +++++++++ 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/libutils/VectorImpl.cpp b/libutils/VectorImpl.cpp index c97a19bc6..d951b8bbb 100644 --- a/libutils/VectorImpl.cpp +++ b/libutils/VectorImpl.cpp @@ -279,14 +279,12 @@ ssize_t VectorImpl::replaceAt(const void* prototype, size_t index) ssize_t VectorImpl::removeItemsAt(size_t index, size_t count) { - ALOG_ASSERT((index+count)<=size(), - "[%p] remove: index=%d, count=%d, size=%d", - this, (int)index, (int)count, (int)size()); - - if ((index+count) > size()) - return BAD_VALUE; - _shrink(index, count); - return index; + size_t end; + LOG_ALWAYS_FATAL_IF(__builtin_add_overflow(index, count, &end), "overflow: index=%zu count=%zu", + index, count); + if (end > size()) return BAD_VALUE; + _shrink(index, count); + return index; } void VectorImpl::finish_vector() diff --git a/libutils/Vector_test.cpp b/libutils/Vector_test.cpp index 5336c40c3..6d90eaa9e 100644 --- a/libutils/Vector_test.cpp +++ b/libutils/Vector_test.cpp @@ -136,4 +136,13 @@ TEST_F(VectorTest, editArray_Shared) { } } +TEST_F(VectorTest, removeItemsAt_overflow) { + android::Vector v; + for (int i = 0; i < 666; i++) v.add(i); + + ASSERT_DEATH(v.removeItemsAt(SIZE_MAX, 666), "overflow"); + ASSERT_DEATH(v.removeItemsAt(666, SIZE_MAX), "overflow"); + ASSERT_DEATH(v.removeItemsAt(SIZE_MAX, SIZE_MAX), "overflow"); +} + } // namespace android