commit 6c8c8138434d2381a78407e9876121d3bcef55a7
author Dan Austin <danielaustin@google.com> Thu Sep 10 22:02:03 2015 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Sep 10 22:02:03 2015 +0000
tree bbab8c46a2078d67eb1f643c387932d1a5a8c05f
parent 8c77ec506a83538d85cf68b8095541ca8aa8c788
parent 48fd7b457bb0657253d6012e787f50498b32ae42

Merge "Benign unsigned integer overflow in Parcel"

libs/binder/Parcel.cpp

diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index 24c8a77..ace1d1b 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -1550,8 +1550,14 @@
         if (mData) {
             LOG_ALLOC("Parcel %p: freeing with %zu capacity", this, mDataCapacity);
             pthread_mutex_lock(&gParcelGlobalAllocSizeLock);
-            gParcelGlobalAllocSize -= mDataCapacity;
-            gParcelGlobalAllocCount--;
+            if (mDataCapacity <= gParcelGlobalAllocSize) {
+              gParcelGlobalAllocSize = gParcelGlobalAllocSize - mDataCapacity;
+            } else {
+              gParcelGlobalAllocSize = 0;
+            }
+            if (gParcelGlobalAllocCount > 0) {
+              gParcelGlobalAllocCount--;
+            }
             pthread_mutex_unlock(&gParcelGlobalAllocSizeLock);
             free(mData);
         }
@@ -1712,6 +1718,7 @@
                 pthread_mutex_lock(&gParcelGlobalAllocSizeLock);
                 gParcelGlobalAllocSize += desired;
                 gParcelGlobalAllocSize -= mDataCapacity;
+                gParcelGlobalAllocCount++;
                 pthread_mutex_unlock(&gParcelGlobalAllocSizeLock);
                 mData = data;
                 mDataCapacity = desired;