libutils: clearer abort on overflow.

Let's turn a bug into a feature... Since this code is built with intsan, anyone who caused overflow here will have had an abort, so we know no-one actually needs the BAD_INDEX return that was presumably the original author's intent. So let's just mandate that, since it's a lot harder to ignore an abort than it is to ignore an error return. Bug: http://b/179044558 Test: treehugger Change-Id: I08f1018f9da1e09de885699138b7543d55bb2a36 (cherry picked from commit a5f2e4d421) Merged-In: I08f1018f9da1e09de885699138b7543d55bb2a36
2022-04-27 13:59:49 -07:00 · 2022-04-27 13:59:49 -07:00 · b10bf63c93
commit b10bf63c93
parent 1a2dbd917e
2 changed files with 15 additions and 8 deletions
--- a/libutils/VectorImpl.cpp
+++ b/libutils/VectorImpl.cpp
@ -279,14 +279,12 @@ ssize_t VectorImpl::replaceAt(const void* prototype, size_t index)

 ssize_t VectorImpl::removeItemsAt(size_t index, size_t count)
 {
-    ALOG_ASSERT((index+count)<=size(),
-        "[%p] remove: index=%d, count=%d, size=%d",
-               this, (int)index, (int)count, (int)size());
-
-    if ((index+count) > size())
-        return BAD_VALUE;
-   _shrink(index, count);
-   return index;
+    size_t end;
+    LOG_ALWAYS_FATAL_IF(__builtin_add_overflow(index, count, &end), "overflow: index=%zu count=%zu",
+                        index, count);
+    if (end > size()) return BAD_VALUE;
+    _shrink(index, count);
+    return index;
 }

 void VectorImpl::finish_vector()
--- a/libutils/Vector_test.cpp
+++ b/libutils/Vector_test.cpp
@ -136,4 +136,13 @@ TEST_F(VectorTest, editArray_Shared) {
  }
 }

+TEST_F(VectorTest, removeItemsAt_overflow) {
+    android::Vector<int> v;
+    for (int i = 0; i < 666; i++) v.add(i);
+
+    ASSERT_DEATH(v.removeItemsAt(SIZE_MAX, 666), "overflow");
+    ASSERT_DEATH(v.removeItemsAt(666, SIZE_MAX), "overflow");
+    ASSERT_DEATH(v.removeItemsAt(SIZE_MAX, SIZE_MAX), "overflow");
+}
+
 } // namespace android