libbinder: keep ashmem size >= 0 Avoid integer overflow. Bug: 123590642 Test: device boots Change-Id: I9f25827842da00c4e69efca849c6a94721964007

commit: aa6e1118cc39f64361aac614f58105557e7f3299 [log] [tgz]
author: Tri Vo <trong@google.com> Tue Jan 29 13:23:46 2019 -0800
committer: Tri Vo <trong@google.com> Tue Jan 29 20:11:35 2019 -0800
tree: ab1180629ae9a0fcb47d003db7ff24e98dc6ef14
parent: f9a1f695d30c3cc96dc6c890407a0db34411521e [diff]
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index b2db945..0423264 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp

@@ -181,7 +181,10 @@
                 if ((outAshmemSize != nullptr) && ashmem_valid(obj.handle)) {
                     int size = ashmem_get_size_region(obj.handle);
                     if (size > 0) {
-                        *outAshmemSize -= size;
+                        // ashmem size might have changed since last time it was accounted for, e.g.
+                        // in acquire_object(). Value of *outAshmemSize is not critical since we are
+                        // releasing the object anyway. Check for integer overflow condition.
+                        *outAshmemSize -= std::min(*outAshmemSize, static_cast<size_t>(size));
                     }
                 }
commit	aa6e1118cc39f64361aac614f58105557e7f3299	[log] [tgz]
author	Tri Vo <trong@google.com>	Tue Jan 29 13:23:46 2019 -0800
committer	Tri Vo <trong@google.com>	Tue Jan 29 20:11:35 2019 -0800
tree	ab1180629ae9a0fcb47d003db7ff24e98dc6ef14
parent	f9a1f695d30c3cc96dc6c890407a0db34411521e [diff]