String16: remove integer overflows

Bug: 73826242
Test: manual
Change-Id: I32e13d61b944c1a527cf2d95473552d246e322be
(cherry picked from commit 0e5fbea0)

libutils/String16.cpp

@@ -79,6 +79,23 @@ static char16_t* allocFromUTF8(const char* u8str, size_t u8len)
     return getEmptyString();
 }
 
+static char16_t* allocFromUTF16(const char16_t* u16str, size_t u16len) {
+    if (u16len >= SIZE_MAX / sizeof(char16_t)) {
+        android_errorWriteLog(0x534e4554, "73826242");
+        abort();
+    }
+
+    SharedBuffer* buf = SharedBuffer::alloc((u16len + 1) * sizeof(char16_t));
+    ALOG_ASSERT(buf, "Unable to allocate shared buffer");
+    if (buf) {
+        char16_t* str = (char16_t*)buf->data();
+        memcpy(str, u16str, u16len * sizeof(char16_t));
+        str[u16len] = 0;
+        return str;
+    }
+    return getEmptyString();
+}
+
 // ---------------------------------------------------------------------------
 
 String16::String16()
@@ -111,35 +128,9 @@ String16::String16(const String16& o, size_t len, size_t begin)
     setTo(o, len, begin);
 }
 
-String16::String16(const char16_t* o)
-{
-    size_t len = strlen16(o);
-    SharedBuffer* buf = SharedBuffer::alloc((len+1)*sizeof(char16_t));
-    ALOG_ASSERT(buf, "Unable to allocate shared buffer");
-    if (buf) {
-        char16_t* str = (char16_t*)buf->data();
-        strcpy16(str, o);
-        mString = str;
-        return;
-    }
-
-    mString = getEmptyString();
-}
-
-String16::String16(const char16_t* o, size_t len)
-{
-    SharedBuffer* buf = SharedBuffer::alloc((len+1)*sizeof(char16_t));
-    ALOG_ASSERT(buf, "Unable to allocate shared buffer");
-    if (buf) {
-        char16_t* str = (char16_t*)buf->data();
-        memcpy(str, o, len*sizeof(char16_t));
-        str[len] = 0;
-        mString = str;
-        return;
-    }
+String16::String16(const char16_t* o) : mString(allocFromUTF16(o, strlen16(o))) {}
 
-    mString = getEmptyString();
-}
+String16::String16(const char16_t* o, size_t len) : mString(allocFromUTF16(o, len)) {}
 
 String16::String16(const String8& o)
     : mString(allocFromUTF8(o.string(), o.size()))
@@ -201,6 +192,11 @@ status_t String16::setTo(const char16_t* other)
 
 status_t String16::setTo(const char16_t* other, size_t len)
 {
+    if (len >= SIZE_MAX / sizeof(char16_t)) {
+        android_errorWriteLog(0x534e4554, "73826242");
+        abort();
+    }
+
     SharedBuffer* buf = SharedBuffer::bufferFromData(mString)
         ->editResize((len+1)*sizeof(char16_t));
     if (buf) {
@@ -224,6 +220,11 @@ status_t String16::append(const String16& other)
         return NO_ERROR;
     }
 
+    if (myLen >= SIZE_MAX / sizeof(char16_t) - otherLen) {
+        android_errorWriteLog(0x534e4554, "73826242");
+        abort();
+    }
+
     SharedBuffer* buf = SharedBuffer::bufferFromData(mString)
         ->editResize((myLen+otherLen+1)*sizeof(char16_t));
     if (buf) {
@@ -245,6 +246,11 @@ status_t String16::append(const char16_t* chrs, size_t otherLen)
         return NO_ERROR;
     }
 
+    if (myLen >= SIZE_MAX / sizeof(char16_t) - otherLen) {
+        android_errorWriteLog(0x534e4554, "73826242");
+        abort();
+    }
+
     SharedBuffer* buf = SharedBuffer::bufferFromData(mString)
         ->editResize((myLen+otherLen+1)*sizeof(char16_t));
     if (buf) {