-
Daniel McArdle authored
wav_audio_handler_fuzzer found a fun bug in BigEndianReader. By calling BigEndianReader::ReadPiece with a very large length, we can bypass the internal safety check. BigEndianReader::ReadPiece will abort the operation and return false if |ptr_ + len > end_|. When |len| is a large value, |ptr_ + len| may overflow, spuriously passing the bounds check. All of the BigEndianReader and BigEndianWriter functions that take length values use this vulnerable bounds check. This CL replaces the vulnerable pointer arithmetic with a safe alternative, and adds unit tests to detect regressions. After this CL, it should be safe to hand untrusted lengths to BigEndianReader and BigEndianWriter functions. Bug: 1114803 Change-Id: Ibf1192298dfe37a1aebcf6afaad080d1b5765135 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2347368 Commit-Queue: Dan McArdle <dmcardle@chromium.org> Reviewed-by:
Mark Mentovai <mark@chromium.org> Cr-Commit-Position: refs/heads/master@{#796614}
1714f57e
