Closed cowtowncoder closed 3 years ago
(found by OssFuzzer https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32339)
Another nice finding by ozz-fuzz project: looks like length handling for chunked (7-bit safe) binary blocks is missing some checks to either prevent use of negative lengths, or avoid int overflow.
int
Specifically, it's "all of above": method _readUnsignedVInt() needs to validate that the input value does not overflow positive 32-bit int.
_readUnsignedVInt()
(found by OssFuzzer https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32339)
Another nice finding by ozz-fuzz project: looks like length handling for chunked (7-bit safe) binary blocks is missing some checks to either prevent use of negative lengths, or avoid
int
overflow.