From f626ca2c96f629627a8df6944c9b0d774e6e67ae Mon Sep 17 00:00:00 2001
From: Narayan Kamath <narayan@google.com>
Date: Tue, 8 Apr 2014 16:10:52 +0100
Subject: [PATCH] Don't allow MemoryFiles of negative length.

Prevents us from converting a (signed) jint into an
(unsigned) size_t and having horrible things happen.

Change-Id: I0f04e2eb9852ae7fc49b435fd0974f56e86751a4
---
 core/java/android/os/MemoryFile.java | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/core/java/android/os/MemoryFile.java b/core/java/android/os/MemoryFile.java
index ee7a4c664ba6b..6cec55a4a09eb 100644
--- a/core/java/android/os/MemoryFile.java
+++ b/core/java/android/os/MemoryFile.java
@@ -63,12 +63,17 @@ public class MemoryFile
      * Allocates a new ashmem region. The region is initially not purgable.
      *
      * @param name optional name for the file (can be null).
-     * @param length of the memory file in bytes.
+     * @param length of the memory file in bytes, must be non-negative.
      * @throws IOException if the memory file could not be created.
      */
     public MemoryFile(String name, int length) throws IOException {
         mLength = length;
-        mFD = native_open(name, length);
+        if (length >= 0) {
+            mFD = native_open(name, length);
+        } else {
+            throw new IOException("Invalid length: " + length);
+        }
+
         if (length > 0) {
             mAddress = native_mmap(mFD, length, PROT_READ | PROT_WRITE);
         } else {