[Backport] CVE-2020-6524: Heap buffer overflow in WebAudio

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2202394:
[PATCH] Replace memcopy with memmove for overlapping copies

copyFromChannel can produce overlapping areas when the source array is
the same as the channel data array.  Use memmove instead of memcpy to
handle this case.  copyToChannel has the same issue, so fix that too.

Manually tested the repro case with a local asan build.  The issue no
longer reproduces.

Bug: 1081722
Change-Id: I168ef418fccf45646bb4d8a01c22cecfbd5da20b
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 2 insertions, 2 deletions

diff --git a/chromium/third_party/blink/renderer/modules/webaudio/audio_buffer.cc b/chromium/third_party/blink/renderer/modules/webaudio/audio_buffer.cc
index f173f1bbf32..45fcdb53d9f 100644
--- a/chromium/third_party/blink/renderer/modules/webaudio/audio_buffer.cc
+++ b/chromium/third_party/blink/renderer/modules/webaudio/audio_buffer.cc
@@ -255,7 +255,7 @@ void AudioBuffer::copyFromChannel(NotShared<DOMFloat32Array> destination,
   DCHECK_LE(count, channel_data->deprecatedLengthAsUnsigned());
   DCHECK_LE(buffer_offset + count, channel_data->deprecatedLengthAsUnsigned());
 
-  memcpy(dst, src + buffer_offset, count * sizeof(*src));
+  memmove(dst, src + buffer_offset, count * sizeof(*src));
 }
 
 void AudioBuffer::copyToChannel(NotShared<DOMFloat32Array> source,
@@ -299,7 +299,7 @@ void AudioBuffer::copyToChannel(NotShared<DOMFloat32Array> source,
   DCHECK_LE(buffer_offset + count, channel_data->deprecatedLengthAsUnsigned());
   DCHECK_LE(count, source.View()->deprecatedLengthAsUnsigned());
 
-  memcpy(dst + buffer_offset, src, count * sizeof(*dst));
+  memmove(dst + buffer_offset, src, count * sizeof(*dst));
 }
 
 void AudioBuffer::Zero() {