summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNick Kralevich2015-08-28 08:40:23 -0500
committerNick Kralevich2015-08-28 08:40:23 -0500
commitc76698f24e785a8984fa9d9d0bf8f81aa28746cc (patch)
treeeab0b7bfc934e0fa93028a65a353cafa0834123c
parentf4355868cbce0713331bbb04b063515d6de4c795 (diff)
downloadplatform-system-core-c76698f24e785a8984fa9d9d0bf8f81aa28746cc.tar.gz
platform-system-core-c76698f24e785a8984fa9d9d0bf8f81aa28746cc.tar.xz
platform-system-core-c76698f24e785a8984fa9d9d0bf8f81aa28746cc.zip
VectorImpl.cpp: fix benign multiplication overflow
j is a ssize_t, which can go negative. If it goes negative, the resulting multiplication of mItemSize*j doesn't make any sense. Since the value is never used, just don't perform the calculation if j < 0. Bug: 23607865 Change-Id: I14f6f6506645d582f7d67a2e2d60ead3cb18b957
-rw-r--r--libutils/VectorImpl.cpp5
1 files changed, 4 insertions, 1 deletions
diff --git a/libutils/VectorImpl.cpp b/libutils/VectorImpl.cpp
index bdb54b14a..2f770f590 100644
--- a/libutils/VectorImpl.cpp
+++ b/libutils/VectorImpl.cpp
@@ -198,7 +198,10 @@ status_t VectorImpl::sort(VectorImpl::compar_r_t cmp, void* state)
198 _do_copy(next, curr, 1); 198 _do_copy(next, curr, 1);
199 next = curr; 199 next = curr;
200 --j; 200 --j;
201 curr = reinterpret_cast<char*>(array) + mItemSize*(j); 201 curr = NULL;
202 if (j >= 0) {
203 curr = reinterpret_cast<char*>(array) + mItemSize*(j);
204 }
202 } while (j>=0 && (cmp(curr, temp, state) > 0)); 205 } while (j>=0 && (cmp(curr, temp, state) > 0));
203 206
204 _do_destroy(next, 1); 207 _do_destroy(next, 1);