cowtowncoder
commented
3 years ago Specifically, it's "all of above": method _readUnsignedVInt() needs to validate that the input value does not overflow positive 32-bit int.
Closed cowtowncoder closed 3 years ago
cowtowncoder
commented
3 years ago Specifically, it's "all of above": method _readUnsignedVInt() needs to validate that the input value does not overflow positive 32-bit int.
(found by OssFuzzer https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32339)
Another nice finding by ozz-fuzz project: looks like length handling for chunked (7-bit safe) binary blocks is missing some checks to either prevent use of negative lengths, or avoid
intoverflow.