system/serenity
system/serenity
1
0
Fork 0
mirror of https://github.com/SerenityOS/serenity synced 2024-07-21 10:05:32 +00:00
Code Issues Actions 5 Packages Projects Releases Wiki Activity

AK: Don't perform the shift when it's too large when decoding LEB128

Browse source 
Prior to this, we calculated whether the shift was too large for the
result, and then did the shift regardless.
Found by OSS-Fuzz: https://oss-fuzz.com/testcase-detail/6046441716973568
This commit is contained in:
Ali Mohammad Pur 2021-08-31 15:00:12 +04:30 committed by Andreas Kling
parent 98624fe03f
commit 60d43d6969
1 changed files with 8 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
AK/LEB128.h
View file

@ -37,8 +37,11 @@ struct LEB128 {
ValueType masked_byte = byte & ~(1 << 7);
const bool shift_too_large_for_result = (num_bytes * 7 > sizeof(ValueType) * 8) && (masked_byte != 0);
if (shift_too_large_for_result)
return false;
const bool shift_too_large_for_byte = ((masked_byte << (num_bytes * 7)) >> (num_bytes * 7)) != masked_byte;
if (shift_too_large_for_result || shift_too_large_for_byte)
if (shift_too_large_for_byte)
return false;
result = (result) | (masked_byte << (num_bytes * 7));
@ -81,9 +84,11 @@ struct LEB128 {
// note: 64 bit assumptions!
u64 masked_byte = byte & ~(1 << 7);
const bool shift_too_large_for_result = (num_bytes * 7 >= 64) && (masked_byte != ((temp < 0) ? 0x7Fu : 0u));
const bool shift_too_large_for_byte = (num_bytes * 7) == 63 && masked_byte != 0x00 && masked_byte != 0x7Fu;
if (shift_too_large_for_result)
return false;
if (shift_too_large_for_result || shift_too_large_for_byte)
const bool shift_too_large_for_byte = (num_bytes * 7) == 63 && masked_byte != 0x00 && masked_byte != 0x7Fu;
if (shift_too_large_for_byte)
return false;
temp = (temp) | (masked_byte << (num_bytes * 7));