Fix int overflow in SpannableStringBuilder.replace

During the offset calculation for selection, SpannableStringBuilder
had an overflow while multiplying two int values. This CL uses long to
calculate the multiplication, and also checks for overflow after
casting the final result into int again.

Bug: 29108549
Change-Id: I11eff4677916701074b38bc5214730fe704707c4

diff --git a/core/java/android/text/SpannableStringBuilder.java b/core/java/android/text/SpannableStringBuilder.java
index 787202e..dc8e4b9 100644 (file)
--- a/core/java/android/text/SpannableStringBuilder.java
+++ b/core/java/android/text/SpannableStringBuilder.java
@@ -19,7 +19,6 @@ package android.text;
 import android.annotation.Nullable;
 import android.graphics.Canvas;
 import android.graphics.Paint;
-import android.text.style.ParagraphStyle;
 import android.util.Log;
 
 import com.android.internal.util.ArrayUtils;
@@ -554,7 +553,8 @@ public class SpannableStringBuilder implements CharSequence, GetChars, Spannable
         if (adjustSelection) {
             boolean changed = false;
             if (selectionStart > start && selectionStart < end) {
-                final int offset = (selectionStart - start) * newLen / origLen;
+                final long diff = selectionStart - start;
+                final int offset = Math.toIntExact(diff * newLen / origLen);
                 selectionStart = start + offset;
 
                 changed = true;
@@ -562,7 +562,8 @@ public class SpannableStringBuilder implements CharSequence, GetChars, Spannable
                         Spanned.SPAN_POINT_POINT);
             }
             if (selectionEnd > start && selectionEnd < end) {
-                final int offset = (selectionEnd - start) * newLen / origLen;
+                final long diff = selectionEnd - start;
+                final int offset = Math.toIntExact(diff * newLen / origLen);
                 selectionEnd = start + offset;
 
                 changed = true;