commit | c87921042aae8f5fa594f96b33635ef76cfd1028 | [log] [tgz] |
---|---|---|
author | Calder Kitagawa <ckitagawa@chromium.org> | Wed Jul 11 14:55:44 2018 |
committer | Commit Bot <commit-bot@chromium.org> | Wed Jul 11 14:55:44 2018 |
tree | c790988eaa3ccfb51d16ed12ea4b03750673ac90 | |
parent | b73824ff37506f377dc9c9d6789d1db74e6ca5f6 [diff] |
[Zucchini] Fix under/overfow bug in DEX This bug was found by the fuzzer. If a large int32 value is present for a RelCode32 the result of mapping the location to its target results in integer overflow or underflow as found by UBSAN. In the particular example found by the fuzzer a value of 1292632068 is read from the image. The result of |(1292632067 - 1) * kInstrUnitSize|, where |kInstrUnitSize = 2| results in an overflow. This is only possible for RelCode32 so we only need the fix there. The solution is to check for overflow and if it occurs just to skip the reference. In a regular DEX file these should be very rare if ever present. I've tested the updated version on a subset of the corpus with no ill effects. Bug: 862095 Change-Id: Ifedeeaf1ae7e72a147421ecb917ec1751f4bb8d4 Reviewed-on: https://chromium-review.googlesource.com/1131225 Commit-Queue: Calder Kitagawa <ckitagawa@chromium.org> Reviewed-by: Samuel Huang <huangs@chromium.org> Cr-Commit-Position: refs/heads/master@{#574160}
Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.
The project's web site is https://www.chromium.org.
Documentation in the source is rooted in docs/README.md.
Learn how to Get Around the Chromium Source Code Directory Structure .