commit 890f9f0da4cf0df9da92989d6fd378bc3b622e60
author android-build-team Robot <android-build-team-robot@google.com> Mon Aug 24 15:30:42 2020 +0000
committer Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Mon Aug 24 15:30:42 2020 +0000
tree 1443e8741df9aa77cb6410d23f52c97df24fe96b
parent 6072de17cd812daf238092695f26a552d3122f8c
parent a790490ec973cd1799384a367da59d0200591c0a

Merge cherrypicks of [12364563, 12364330, 12364331, 12364332, 12363743, 12364605, 12363956, 12363957, 12363958, 12364309, 12364483, 12364484, 12364564, 12364333, 12364334, 12364335, 12364336, 12364337, 12364607] into rvc-release am: a790490ec9

Original change: https://googleplex-android-review.googlesource.com/c/platform/system/core/+/12364682

Change-Id: I5d460e022ec749177c37301bed64f48d8b8d272e

libutils/String8.cpp

diff --git a/libutils/String8.cpp b/libutils/String8.cpp
index d13548e..9d50e0b 100644
--- a/libutils/String8.cpp
+++ b/libutils/String8.cpp
@@ -322,8 +322,14 @@
     n = vsnprintf(nullptr, 0, fmt, tmp_args);
     va_end(tmp_args);
 
-    if (n != 0) {
+    if (n < 0) return UNKNOWN_ERROR;
+
+    if (n > 0) {
         size_t oldLength = length();
+        if ((size_t)n > SIZE_MAX - 1 ||
+            oldLength > SIZE_MAX - (size_t)n - 1) {
+            return NO_MEMORY;
+        }
         char* buf = lockBuffer(oldLength + n);
         if (buf) {
             vsnprintf(buf + oldLength, n + 1, fmt, args);