Merge changes from topic 'utf'

* changes:
  Add bound checks to utf16_to_utf8
  Unicode: specify destination length in utf8_to_utf16 methods
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index 5886d74..061cb08 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -750,7 +750,7 @@
     const uint8_t* strData = (uint8_t*)str.data();
     const size_t strLen= str.length();
     const ssize_t utf16Len = utf8_to_utf16_length(strData, strLen);
-    if (utf16Len < 0 || utf16Len> std::numeric_limits<int32_t>::max()) {
+    if (utf16Len < 0 || utf16Len > std::numeric_limits<int32_t>::max()) {
         return BAD_VALUE;
     }
 
@@ -765,7 +765,7 @@
         return NO_MEMORY;
     }
 
-    utf8_to_utf16(strData, strLen, (char16_t*)dst);
+    utf8_to_utf16(strData, strLen, (char16_t*)dst, (size_t) utf16Len + 1);
 
     return NO_ERROR;
 }
@@ -1761,15 +1761,16 @@
        return NO_ERROR;
     }
 
-    ssize_t utf8Size = utf16_to_utf8_length(src, utf16Size);
-    if (utf8Size < 0) {
+    // Allow for closing '\0'
+    ssize_t utf8Size = utf16_to_utf8_length(src, utf16Size) + 1;
+    if (utf8Size < 1) {
         return BAD_VALUE;
     }
     // Note that while it is probably safe to assume string::resize keeps a
-    // spare byte around for the trailing null, we're going to be explicit.
-    str->resize(utf8Size + 1);
-    utf16_to_utf8(src, utf16Size, &((*str)[0]));
+    // spare byte around for the trailing null, we still pass the size including the trailing null
     str->resize(utf8Size);
+    utf16_to_utf8(src, utf16Size, &((*str)[0]), utf8Size);
+    str->resize(utf8Size - 1);
     return NO_ERROR;
 }