From 60d43d6969bf9868497502580996923aea7fc90d Mon Sep 17 00:00:00 2001 From: Ali Mohammad Pur Date: Tue, 31 Aug 2021 15:00:12 +0430 Subject: [PATCH] AK: Don't perform the shift when it's too large when decoding LEB128 Prior to this, we calculated whether the shift was too large for the result, and then did the shift regardless. Found by OSS-Fuzz: https://oss-fuzz.com/testcase-detail/6046441716973568 --- AK/LEB128.h | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/AK/LEB128.h b/AK/LEB128.h index cf195a50cf..5bff252328 100644 --- a/AK/LEB128.h +++ b/AK/LEB128.h @@ -37,8 +37,11 @@ struct LEB128 { ValueType masked_byte = byte & ~(1 << 7); const bool shift_too_large_for_result = (num_bytes * 7 > sizeof(ValueType) * 8) && (masked_byte != 0); + if (shift_too_large_for_result) + return false; + const bool shift_too_large_for_byte = ((masked_byte << (num_bytes * 7)) >> (num_bytes * 7)) != masked_byte; - if (shift_too_large_for_result || shift_too_large_for_byte) + if (shift_too_large_for_byte) return false; result = (result) | (masked_byte << (num_bytes * 7)); @@ -81,9 +84,11 @@ struct LEB128 { // note: 64 bit assumptions! u64 masked_byte = byte & ~(1 << 7); const bool shift_too_large_for_result = (num_bytes * 7 >= 64) && (masked_byte != ((temp < 0) ? 0x7Fu : 0u)); - const bool shift_too_large_for_byte = (num_bytes * 7) == 63 && masked_byte != 0x00 && masked_byte != 0x7Fu; + if (shift_too_large_for_result) + return false; - if (shift_too_large_for_result || shift_too_large_for_byte) + const bool shift_too_large_for_byte = (num_bytes * 7) == 63 && masked_byte != 0x00 && masked_byte != 0x7Fu; + if (shift_too_large_for_byte) return false; temp = (temp) | (masked_byte << (num_bytes * 7));