diff options
author | Raymond Toy <rtoy@chromium.org> | 2020-05-14 23:15:49 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-07-22 15:17:54 +0000 |
commit | 1c142fada62e576b89a2630e166943fb212a945f (patch) | |
tree | 828b30e4c5c3ca1c594c69478c9b1264f69ae579 | |
parent | b44a099f73782800bbd08508c2cb773f57c27e17 (diff) | |
download | qtwebengine-chromium-1c142fada62e576b89a2630e166943fb212a945f.tar.gz |
[Backport] CVE-2020-6524: Heap buffer overflow in WebAudio
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2202394:
[PATCH] Replace memcopy with memmove for overlapping copies
copyFromChannel can produce overlapping areas when the source array is
the same as the channel data array. Use memmove instead of memcpy to
handle this case. copyToChannel has the same issue, so fix that too.
Manually tested the repro case with a local asan build. The issue no
longer reproduces.
Bug: 1081722
Change-Id: I168ef418fccf45646bb4d8a01c22cecfbd5da20b
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/third_party/blink/renderer/modules/webaudio/audio_buffer.cc | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/chromium/third_party/blink/renderer/modules/webaudio/audio_buffer.cc b/chromium/third_party/blink/renderer/modules/webaudio/audio_buffer.cc index f173f1bbf32..45fcdb53d9f 100644 --- a/chromium/third_party/blink/renderer/modules/webaudio/audio_buffer.cc +++ b/chromium/third_party/blink/renderer/modules/webaudio/audio_buffer.cc @@ -255,7 +255,7 @@ void AudioBuffer::copyFromChannel(NotShared<DOMFloat32Array> destination, DCHECK_LE(count, channel_data->deprecatedLengthAsUnsigned()); DCHECK_LE(buffer_offset + count, channel_data->deprecatedLengthAsUnsigned()); - memcpy(dst, src + buffer_offset, count * sizeof(*src)); + memmove(dst, src + buffer_offset, count * sizeof(*src)); } void AudioBuffer::copyToChannel(NotShared<DOMFloat32Array> source, @@ -299,7 +299,7 @@ void AudioBuffer::copyToChannel(NotShared<DOMFloat32Array> source, DCHECK_LE(buffer_offset + count, channel_data->deprecatedLengthAsUnsigned()); DCHECK_LE(count, source.View()->deprecatedLengthAsUnsigned()); - memcpy(dst + buffer_offset, src, count * sizeof(*dst)); + memmove(dst + buffer_offset, src, count * sizeof(*dst)); } void AudioBuffer::Zero() { |