Fix invalid memcpy() call when reading corrupted ZIP files

Skip memcpy() call if its source and destination would overlap: this is
not allowed and is correctly flagged as an error by address sanitizer
and is unnecessary anyhow as we're certainly not going to find the magic
value in fewer than 3 remaining bytes.

Credit to OSS-Fuzz: this solves its issue 3794.
This commit is contained in:
Vadim Zeitlin 2017-10-25 17:11:36 +02:00
parent 802eac475d
commit 8a4573223e

View File

@ -1738,6 +1738,9 @@ bool wxZipInputStream::FindEndRecord()
while (pos > minpos) {
size_t len = wx_truncate_cast(size_t,
pos - wxMax(pos - (BUFSIZE - 3), minpos));
if ( len < 3 )
break;
memcpy(buf.data() + len, buf, 3);
pos -= len;