-
Calder Kitagawa authored
This bug was found by the fuzzer. If a large int32 value is present for a RelCode32 the result of mapping the location to its target results in integer overflow or underflow as found by UBSAN. In the particular example found by the fuzzer a value of 1292632068 is read from the image. The result of |(1292632067 - 1) * kInstrUnitSize|, where |kInstrUnitSize = 2| results in an overflow. This is only possible for RelCode32 so we only need the fix there. The solution is to check for overflow and if it occurs just to skip the reference. In a regular DEX file these should be very rare if ever present. I've tested the updated version on a subset of the corpus with no ill effects. Bug: 862095 Change-Id: Ifedeeaf1ae7e72a147421ecb917ec1751f4bb8d4 Reviewed-on: https://chromium-review.googlesource.com/1131225 Commit-Queue: Calder Kitagawa <ckitagawa@chromium.org> Reviewed-by:
Samuel Huang <huangs@chromium.org> Cr-Commit-Position: refs/heads/master@{#574160}
c8792104
