DO NOT MERGE - Merge RP1A.201005.006 Bug: 168212094 Change-Id: I79a7517bce1c012eac2a2a7c1c2cffc5a3516eaa Merged-In: Ia85067d4258bde4b875c832d6223db5dd26b8838

commit: 7fd5f8d2bcaf36391f0b7c10540f2171f6795d08 [log] [tgz]
author: The Android Open Source Project <initial-contribution@android.com> Mon Oct 05 21:00:29 2020 -0700
committer: Xin Li <delphij@google.com> Tue Oct 06 04:30:21 2020 +0000
tree: cbde48cfbe88492ece3d90a5c0ddbc1a359ed95e
parent: 1bacb2c389efda4f6a946a1aa271470acb65800f [diff]
parent: a790490ec973cd1799384a367da59d0200591c0a [diff]
diff --git a/libutils/String8.cpp b/libutils/String8.cpp
index c837891..3dc2026 100644
--- a/libutils/String8.cpp
+++ b/libutils/String8.cpp

@@ -309,8 +309,14 @@
     n = vsnprintf(nullptr, 0, fmt, tmp_args);
     va_end(tmp_args);
 
-    if (n != 0) {
+    if (n < 0) return UNKNOWN_ERROR;
+
+    if (n > 0) {
         size_t oldLength = length();
+        if ((size_t)n > SIZE_MAX - 1 ||
+            oldLength > SIZE_MAX - (size_t)n - 1) {
+            return NO_MEMORY;
+        }
         char* buf = lockBuffer(oldLength + n);
         if (buf) {
             vsnprintf(buf + oldLength, n + 1, fmt, args);
commit	7fd5f8d2bcaf36391f0b7c10540f2171f6795d08	[log] [tgz]
author	The Android Open Source Project <initial-contribution@android.com>	Mon Oct 05 21:00:29 2020 -0700
committer	Xin Li <delphij@google.com>	Tue Oct 06 04:30:21 2020 +0000
tree	cbde48cfbe88492ece3d90a5c0ddbc1a359ed95e
parent	1bacb2c389efda4f6a946a1aa271470acb65800f [diff]
parent	a790490ec973cd1799384a367da59d0200591c0a [diff]