From 8a4573223e34fd0301e9cbd37aa768922c8eeb58 Mon Sep 17 00:00:00 2001 From: Vadim Zeitlin Date: Wed, 25 Oct 2017 17:11:36 +0200 Subject: [PATCH] Fix invalid memcpy() call when reading corrupted ZIP files Skip memcpy() call if its source and destination would overlap: this is not allowed and is correctly flagged as an error by address sanitizer and is unnecessary anyhow as we're certainly not going to find the magic value in fewer than 3 remaining bytes. Credit to OSS-Fuzz: this solves its issue 3794. --- src/common/zipstrm.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/common/zipstrm.cpp b/src/common/zipstrm.cpp index 1399f3fbca..12be143e92 100644 --- a/src/common/zipstrm.cpp +++ b/src/common/zipstrm.cpp @@ -1738,6 +1738,9 @@ bool wxZipInputStream::FindEndRecord() while (pos > minpos) { size_t len = wx_truncate_cast(size_t, pos - wxMax(pos - (BUFSIZE - 3), minpos)); + if ( len < 3 ) + break; + memcpy(buf.data() + len, buf, 3); pos -= len;