Google Git
Sign in
chromium / chromium / src / c87921042aae8f5fa594f96b33635ef76cfd1028
commitc87921042aae8f5fa594f96b33635ef76cfd1028[log] [tgz]
authorCalder Kitagawa <ckitagawa@chromium.org>Wed Jul 11 14:55:44 2018
committerCommit Bot <commit-bot@chromium.org>Wed Jul 11 14:55:44 2018
treec790988eaa3ccfb51d16ed12ea4b03750673ac90
parentb73824ff37506f377dc9c9d6789d1db74e6ca5f6 [diff]
[Zucchini] Fix under/overfow bug in DEX

This bug was found by the fuzzer. If a large int32 value is present for
a RelCode32 the result of mapping the location to its target results in
integer overflow or underflow as found by UBSAN.

In the particular example found by the fuzzer a value of 1292632068 is
read from the image. The result of |(1292632067 - 1) * kInstrUnitSize|,
where |kInstrUnitSize = 2| results in an overflow. This is only
possible for RelCode32 so we only need the fix there. The solution is
to check for overflow and if it occurs just to skip the reference. In
a regular DEX file these should be very rare if ever present.

I've tested the updated version on a subset of the corpus with no ill
effects.

Bug: 862095
Change-Id: Ifedeeaf1ae7e72a147421ecb917ec1751f4bb8d4
Reviewed-on: https://chromium-review.googlesource.com/1131225
Commit-Queue: Calder Kitagawa <ckitagawa@chromium.org>
Reviewed-by: Samuel Huang <huangs@chromium.org>
Cr-Commit-Position: refs/heads/master@{#574160}
1 file changed
tree: c790988eaa3ccfb51d16ed12ea4b03750673ac90
  1. android_webview/
  2. apps/
  3. ash/
  4. base/
  5. blink/
  6. build/
  7. build_overrides/
  8. cc/
  9. chrome/
  10. chrome_elf/
  11. chromecast/
  12. chromeos/
  13. cloud_print/
  14. components/
  15. content/
  16. courgette/
  17. crypto/
  18. dbus/
  19. device/
  20. docs/
  21. extensions/
  22. gin/
  23. google_apis/
  24. google_update/
  25. gpu/
  26. headless/
  27. infra/
  28. ios/
  29. ipc/
  30. jingle/
  31. mash/
  32. media/
  33. mojo/
  34. native_client_sdk/
  35. net/
  36. pdf/
  37. ppapi/
  38. printing/
  39. remoting/
  40. rlz/
  41. sandbox/
  42. services/
  43. skia/
  44. sql/
  45. storage/
  46. styleguide/
  47. testing/
  48. third_party/
  49. tools/
  50. ui/
  51. url/
  52. webrunner/
  53. .clang-format
  54. .eslintrc.js
  55. .git-blame-ignore-revs
  56. .gitattributes
  57. .gitignore
  58. .gn
  59. .vpython
  60. AUTHORS
  61. BUILD.gn
  62. CODE_OF_CONDUCT.md
  63. codereview.settings
  64. DEPS
  65. ENG_REVIEW_OWNERS
  66. LICENSE
  67. LICENSE.chromium_os
  68. OWNERS
  69. PRESUBMIT.py
  70. PRESUBMIT_test.py
  71. PRESUBMIT_test_mocks.py
  72. README.md
  73. WATCHLISTS
README.md

Logo Chromium

Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.

The project's web site is https://www.chromium.org.

Documentation in the source is rooted in docs/README.md.

Learn how to Get Around the Chromium Source Code Directory Structure .