summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorShuo Gao2013-10-16 22:36:11 -0500
committerJesse Hall2013-10-31 01:24:29 -0500
commiteb0eb4f79fca083009aa7a6b6e28ddcdbcbd1214 (patch)
tree0b57a1d4b64788480efa9db1988ee7e313063085
parentd3beee649ffe7c2879b7b3616d33d6e813e28dbd (diff)
downloadplatform-system-core-eb0eb4f79fca083009aa7a6b6e28ddcdbcbd1214.tar.gz
platform-system-core-eb0eb4f79fca083009aa7a6b6e28ddcdbcbd1214.tar.xz
platform-system-core-eb0eb4f79fca083009aa7a6b6e28ddcdbcbd1214.zip
fix corruption in Vector<> when malloc falied
1. When alloc or realloc failed in the function SharedBuffer::editResize, it would return a NULL pointer, then mStorage would update to be 1 by SharedBuffer::data() if no pointer check here, which is an obviously wrong address, and would cause corruption when used it e.g. in capacity(). So add the pointer check here for the return value of SharedBuffer::editResize, if it's NULL do not use it to update mStorage, to avoid the value of mStorage polluted. 2. when alloc or realloc falied in _grow & _shrink function, mStorage keep the original value, so mCount should not be updated here. Otherwise, mStorage might be 0 but mCount>0, so a corruption would happend when it try to delete items from the Vector since mCount>0. Change-Id: I7c3814e843c459834ca5eed392e8d63d1cb7d2d8 Signed-off-by: Shuo Gao <shuo.gao@intel.com> Signed-off-by: Jian Luo <jian.luo@intel.com> Signed-off-by: Bruce Beare <bruce.j.beare@intel.com> Signed-off-by: Jack Ren <jack.ren@intel.com> Author-tracking-BZ: 139626
-rw-r--r--libutils/VectorImpl.cpp16
1 files changed, 14 insertions, 2 deletions
diff --git a/libutils/VectorImpl.cpp b/libutils/VectorImpl.cpp
index 5a79647cb..30ca6635e 100644
--- a/libutils/VectorImpl.cpp
+++ b/libutils/VectorImpl.cpp
@@ -384,7 +384,11 @@ void* VectorImpl::_grow(size_t where, size_t amount)
384 { 384 {
385 const SharedBuffer* cur_sb = SharedBuffer::bufferFromData(mStorage); 385 const SharedBuffer* cur_sb = SharedBuffer::bufferFromData(mStorage);
386 SharedBuffer* sb = cur_sb->editResize(new_capacity * mItemSize); 386 SharedBuffer* sb = cur_sb->editResize(new_capacity * mItemSize);
387 mStorage = sb->data(); 387 if (sb) {
388 mStorage = sb->data();
389 } else {
390 return NULL;
391 }
388 } else { 392 } else {
389 SharedBuffer* sb = SharedBuffer::alloc(new_capacity * mItemSize); 393 SharedBuffer* sb = SharedBuffer::alloc(new_capacity * mItemSize);
390 if (sb) { 394 if (sb) {
@@ -399,6 +403,8 @@ void* VectorImpl::_grow(size_t where, size_t amount)
399 } 403 }
400 release_storage(); 404 release_storage();
401 mStorage = const_cast<void*>(array); 405 mStorage = const_cast<void*>(array);
406 } else {
407 return NULL;
402 } 408 }
403 } 409 }
404 } else { 410 } else {
@@ -436,7 +442,11 @@ void VectorImpl::_shrink(size_t where, size_t amount)
436 { 442 {
437 const SharedBuffer* cur_sb = SharedBuffer::bufferFromData(mStorage); 443 const SharedBuffer* cur_sb = SharedBuffer::bufferFromData(mStorage);
438 SharedBuffer* sb = cur_sb->editResize(new_capacity * mItemSize); 444 SharedBuffer* sb = cur_sb->editResize(new_capacity * mItemSize);
439 mStorage = sb->data(); 445 if (sb) {
446 mStorage = sb->data();
447 } else {
448 return;
449 }
440 } else { 450 } else {
441 SharedBuffer* sb = SharedBuffer::alloc(new_capacity * mItemSize); 451 SharedBuffer* sb = SharedBuffer::alloc(new_capacity * mItemSize);
442 if (sb) { 452 if (sb) {
@@ -451,6 +461,8 @@ void VectorImpl::_shrink(size_t where, size_t amount)
451 } 461 }
452 release_storage(); 462 release_storage();
453 mStorage = const_cast<void*>(array); 463 mStorage = const_cast<void*>(array);
464 } else{
465 return;
454 } 466 }
455 } 467 }
456 } else { 468 } else {