/self/proc/mem

I can't find the ddp_udc_int_evo_malloc symbol in Pixel 9's libcodec2_soft_ddpdec.so (maybe it was inlined or something); but the original bug report says the vulnerable code is present on MacOS, and a GitHub search shows the symbol exists on iOS (which is probably similar to MacOS), so I guess they decompiled it from MacOS rather than Android.

The iOS decompilation is effectively:

total_size = (alloc_size + extra + 7) & ~7;
if (does_add_overflow(alloc_size, extra) || heap->remaining < total_size) { return 0; }

which makes more sense - it's simply rounding up to 8 bytes, and the bug is that it's only testing for overflow in the non-rounded-up addition. Perhaps the post author tried to paraphrase the decompiled code to avoid the slightly obscure bit-twiddling, or used a different decompiler that produced uglier code they needed to clean up, but they made a mistake. Their rest of their explanation of the overflow sounds fine.

(They say the overflow is present on iOS but not exploitable because the library is built with -fbounds-safety.)