__memcpy_chk: Fix signed cmp of unsigned values.

I accidentally did a signed comparison of the size_t values passed in
for three of the _chk functions. Changing them to unsigned compares.

Add three new tests to verify this failure is fixed.

Bug: 10691831
Change-Id: Ia831071f7dffd5972a748d888dd506c7cc7ddba3

libc/arch-arm/cortex-a15/bionic/__strcat_chk.S

@@ -180,7 +180,7 @@ ENTRY(__strcat_chk)
 .L_strlen_done:
     add     r2, r3, r4
     cmp     r2, lr
-    bgt     __strcat_chk_failed
+    bhi     __strcat_chk_failed
 
     // Set up the registers for the memcpy code.
     mov     r1, r5

libc/arch-arm/cortex-a15/bionic/__strcpy_chk.S

@@ -151,7 +151,7 @@ ENTRY(__strcpy_chk)
     pld     [r1, #64]
     ldr     r0, [sp]
     cmp     r3, lr
-    bge     __strcpy_chk_failed
+    bhs     __strcpy_chk_failed
 
     // Add 1 for copy length to get the string terminator.
     add     r2, r3, #1

libc/arch-arm/cortex-a15/bionic/memcpy.S

@@ -65,7 +65,7 @@
 ENTRY(__memcpy_chk)
         .cfi_startproc
         cmp     r2, r3
-        bgt     __memcpy_chk_fail
+        bhi     __memcpy_chk_fail
 
         // Fall through to memcpy...
         .cfi_endproc

libc/arch-arm/cortex-a9/bionic/__strcat_chk.S

@@ -183,7 +183,7 @@ ENTRY(__strcat_chk)
 .L_strlen_done:
     add     r2, r3, r4
     cmp     r2, lr
-    bgt     __strcat_chk_fail
+    bhi     __strcat_chk_fail
 
     // Set up the registers for the memcpy code.
     mov     r1, r5

libc/arch-arm/cortex-a9/bionic/__strcpy_chk.S

@@ -153,7 +153,7 @@ ENTRY(__strcpy_chk)
     pld     [r1, #64]
     ldr     r0, [sp]
     cmp     r3, lr
-    bge     __strcpy_chk_fail
+    bhs     __strcpy_chk_fail
 
     // Add 1 for copy length to get the string terminator.
     add     r2, r3, #1

libc/arch-arm/cortex-a9/bionic/memcpy.S

@@ -43,7 +43,7 @@
 ENTRY(__memcpy_chk)
         .cfi_startproc
         cmp         r2, r3
-        bgt         __memcpy_chk_fail
+        bhi         __memcpy_chk_fail
 
         // Fall through to memcpy...
         .cfi_endproc

libc/arch-arm/krait/bionic/__strcat_chk.S

@@ -180,7 +180,7 @@ ENTRY(__strcat_chk)
 .L_strlen_done:
     add     r2, r3, r4
     cmp     r2, lr
-    bgt     __strcat_chk_failed
+    bhi     __strcat_chk_failed
 
     // Set up the registers for the memcpy code.
     mov     r1, r5

libc/arch-arm/krait/bionic/__strcpy_chk.S

@@ -151,7 +151,7 @@ ENTRY(__strcpy_chk)
     pld     [r1, #64]
     ldr     r0, [sp]
     cmp     r3, lr
-    bge     __strcpy_chk_failed
+    bhs     __strcpy_chk_failed
 
     // Add 1 for copy length to get the string terminator.
     add     r2, r3, #1

libc/arch-arm/krait/bionic/memcpy.S

@@ -46,7 +46,7 @@
 ENTRY(__memcpy_chk)
         .cfi_startproc
         cmp         r2, r3
-        bgt         __memcpy_chk_fail
+        bhi         __memcpy_chk_fail
 
         // Fall through to memcpy...
         .cfi_endproc

tests/fortify_test.cpp

@@ -657,3 +657,57 @@ TEST(TEST_NAME, strcat2) {
   ASSERT_EQ('7',  buf[8]);
   ASSERT_EQ('\0',  buf[9]);
 }
+
+TEST(TEST_NAME, strcat_chk_max_int_size) {
+  char buf[10];
+  memset(buf, 'A', sizeof(buf));
+  buf[0] = 'a';
+  buf[1] = '\0';
+  char* res = __strcat_chk(buf, "01234567", (size_t)-1);
+  ASSERT_EQ(buf, res);
+  ASSERT_EQ('a',  buf[0]);
+  ASSERT_EQ('0',  buf[1]);
+  ASSERT_EQ('1',  buf[2]);
+  ASSERT_EQ('2',  buf[3]);
+  ASSERT_EQ('3',  buf[4]);
+  ASSERT_EQ('4',  buf[5]);
+  ASSERT_EQ('5',  buf[6]);
+  ASSERT_EQ('6',  buf[7]);
+  ASSERT_EQ('7',  buf[8]);
+  ASSERT_EQ('\0', buf[9]);
+}
+
+extern "C" char* __strcpy_chk(char*, const char*, size_t);
+
+TEST(TEST_NAME, strcpy_chk_max_int_size) {
+  char buf[10];
+  char* res = __strcpy_chk(buf, "012345678", (size_t)-1);
+  ASSERT_EQ(buf, res);
+  ASSERT_EQ('0',  buf[0]);
+  ASSERT_EQ('1',  buf[1]);
+  ASSERT_EQ('2',  buf[2]);
+  ASSERT_EQ('3',  buf[3]);
+  ASSERT_EQ('4',  buf[4]);
+  ASSERT_EQ('5',  buf[5]);
+  ASSERT_EQ('6',  buf[6]);
+  ASSERT_EQ('7',  buf[7]);
+  ASSERT_EQ('8',  buf[8]);
+  ASSERT_EQ('\0', buf[9]);
+}
+extern "C" void* __memcpy_chk(void*, const void*, size_t, size_t);
+
+TEST(TEST_NAME, memcpy_chk_max_int_size) {
+  char buf[10];
+  void* res = __memcpy_chk(buf, "012345678", sizeof(buf), (size_t)-1);
+  ASSERT_EQ((void*)buf, res);
+  ASSERT_EQ('0',  buf[0]);
+  ASSERT_EQ('1',  buf[1]);
+  ASSERT_EQ('2',  buf[2]);
+  ASSERT_EQ('3',  buf[3]);
+  ASSERT_EQ('4',  buf[4]);
+  ASSERT_EQ('5',  buf[5]);
+  ASSERT_EQ('6',  buf[6]);
+  ASSERT_EQ('7',  buf[7]);
+  ASSERT_EQ('8',  buf[8]);
+  ASSERT_EQ('\0', buf[9]);
+}