summaryrefslogtreecommitdiff
path: root/testing/libfuzzer
diff options
context:
space:
mode:
authordsinclair <dsinclair@chromium.org>2016-10-04 12:38:18 -0700
committerCommit bot <commit-bot@chromium.org>2016-10-04 12:38:18 -0700
commitfb403875dd1bbf830d9325f10e6a5650db30c6fd (patch)
treebd2b7cb0cb993ba74603be94b9467bb97fc15923 /testing/libfuzzer
parent69d9c68e705afa7a4008feb9bbeb19cea887ed47 (diff)
downloadpdfium-fb403875dd1bbf830d9325f10e6a5650db30c6fd.tar.xz
Make sure the fuzzer read size does not go negative.
When fuzzing the image formats, its possible to get a read request which would go negative. Handle the request and return FALSE for the read. BUG=chromium:621836 Review-Url: https://codereview.chromium.org/2386343002
Diffstat (limited to 'testing/libfuzzer')
-rw-r--r--testing/libfuzzer/xfa_codec_fuzzer.h5
1 files changed, 5 insertions, 0 deletions
diff --git a/testing/libfuzzer/xfa_codec_fuzzer.h b/testing/libfuzzer/xfa_codec_fuzzer.h
index 6a84ed8572..13a467e1ef 100644
--- a/testing/libfuzzer/xfa_codec_fuzzer.h
+++ b/testing/libfuzzer/xfa_codec_fuzzer.h
@@ -49,8 +49,13 @@ class XFACodecFuzzer {
void Release() override {}
FX_BOOL ReadBlock(void* buffer, FX_FILESIZE offset, size_t size) override {
+ if (offset < 0 || offset >= m_size)
+ return FALSE;
if (offset + size > m_size)
size = m_size - offset;
+ if (size == 0)
+ return FALSE;
+
memcpy(buffer, m_data + offset, size);
return TRUE;
}