Add bounds CHECK to UTF-8 decoder memory allocation.

Avoid integer overflow when computing a total buffer size from a base buffer and small partial sequence buffer. Bug: 901030 Change-Id: Ic82db2c6af770bd748fb1ec881999d0dfaac30f0 Reviewed-on: https://chromium-review.googlesource.com/c/1313833Reviewed-by: Chris Palmer <palmer@chromium.org> Commit-Queue: Joshua Bell <jsbell@chromium.org> Cr-Commit-Position: refs/heads/master@{#605011}

Add bounds CHECK to UTF-8 decoder memory allocation.
Avoid integer overflow when computing a total buffer size from a base buffer and small partial sequence buffer. Bug: 901030 Change-Id: Ic82db2c6af770bd748fb1ec881999d0dfaac30f0 Reviewed-on: https://chromium-review.googlesource.com/c/1313833Reviewed-by: Chris Palmer <palmer@chromium.org> Commit-Queue: Joshua Bell <jsbell@chromium.org> Cr-Commit-Position: refs/heads/master@{#605011}
dae5b388 · Joshua Bell · Commit Bot · 6b464828 · dae5b388 · dae5b388
Commit dae5b388 authored Nov 02, 2018 by Joshua Bell Committed by Commit Bot Nov 02, 2018
2 changed files
--- a/third_party/blink/renderer/platform/wtf/text/text_codec_utf8.cc
+++ b/third_party/blink/renderer/platform/wtf/text/text_codec_utf8.cc
@@ -27,6 +27,7 @@
 #include <memory>
 #include "base/memory/ptr_util.h"
+#include "base/numerics/checked_math.h"
 #include "third_party/blink/renderer/platform/wtf/text/character_names.h"
 #include "third_party/blink/renderer/platform/wtf/text/cstring.h"
 #include "third_party/blink/renderer/platform/wtf/text/string_buffer.h"
@@ -294,7 +295,8 @@ String TextCodecUTF8::Decode(const char* bytes,
  // Each input byte might turn into a character.
  // That includes all bytes in the partial-sequence buffer because
  // each byte in an invalid sequence will turn into a replacement character.
-  StringBuffer<LChar> buffer(partial_sequence_size_ + length);
+  StringBuffer<LChar> buffer(
+      base::CheckAdd(partial_sequence_size_, length).ValueOrDie());
  const uint8_t* source = reinterpret_cast<const uint8_t*>(bytes);
  const uint8_t* end = source + length;
@@ -377,7 +379,8 @@ String TextCodecUTF8::Decode(const char* bytes,
  return String::Adopt(buffer);
 upConvertTo16Bit:
-  StringBuffer<UChar> buffer16(partial_sequence_size_ + length);
+  StringBuffer<UChar> buffer16(
+      base::CheckAdd(partial_sequence_size_, length).ValueOrDie());
  UChar* destination16 = buffer16.Characters();

--- a/third_party/blink/renderer/platform/wtf/text/text_codec_utf8_test.cc
+++ b/third_party/blink/renderer/platform/wtf/text/text_codec_utf8_test.cc
@@ -30,6 +30,7 @@
 #include "third_party/blink/renderer/platform/wtf/text/text_codec_utf8.h"
+#include <limits>
 #include <memory>
 #include "testing/gtest/include/gtest/gtest.h"
 #include "third_party/blink/renderer/platform/wtf/text/text_codec.h"
@@ -89,6 +90,20 @@ TEST(TextCodecUTF8, Decode0xFF) {
  EXPECT_EQ(0xFFFDU, result[0]);
 }
+TEST(TextCodecUTF8, DecodeOverflow) {
+  TextEncoding encoding("UTF-8");
+  std::unique_ptr<TextCodec> codec(NewTextCodec(encoding));
+  // Prime the partial sequence buffer.
+  bool saw_error = false;
+  codec->Decode("\x80", 1, FlushBehavior::kDoNotFlush, false, saw_error);
+  EXPECT_FALSE(saw_error);
+  EXPECT_DEATH(codec->Decode(nullptr, std::numeric_limits<wtf_size_t>::max(),
+                             FlushBehavior::kDataEOF, false, saw_error),
+               "");
+}
 }  // namespace
 }  // namespace WTF