From fb403875dd1bbf830d9325f10e6a5650db30c6fd Mon Sep 17 00:00:00 2001 From: dsinclair Date: Tue, 4 Oct 2016 12:38:18 -0700 Subject: Make sure the fuzzer read size does not go negative. When fuzzing the image formats, its possible to get a read request which would go negative. Handle the request and return FALSE for the read. BUG=chromium:621836 Review-Url: https://codereview.chromium.org/2386343002 --- testing/libfuzzer/xfa_codec_fuzzer.h | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/testing/libfuzzer/xfa_codec_fuzzer.h b/testing/libfuzzer/xfa_codec_fuzzer.h index 6a84ed8572..13a467e1ef 100644 --- a/testing/libfuzzer/xfa_codec_fuzzer.h +++ b/testing/libfuzzer/xfa_codec_fuzzer.h @@ -49,8 +49,13 @@ class XFACodecFuzzer { void Release() override {} FX_BOOL ReadBlock(void* buffer, FX_FILESIZE offset, size_t size) override { + if (offset < 0 || offset >= m_size) + return FALSE; if (offset + size > m_size) size = m_size - offset; + if (size == 0) + return FALSE; + memcpy(buffer, m_data + offset, size); return TRUE; } -- cgit v1.2.3