[Backport] CVE-2020-6524: Heap buffer overflow in WebAudio

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2202394:
[PATCH] Replace memcopy with memmove for overlapping copies

copyFromChannel can produce overlapping areas when the source array is
the same as the channel data array.  Use memmove instead of memcpy to
handle this case.  copyToChannel has the same issue, so fix that too.

Manually tested the repro case with a local asan build.  The issue no
longer reproduces.

Bug: 1081722
Change-Id: I168ef418fccf45646bb4d8a01c22cecfbd5da20b
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 2 insertions, 2 deletions

diff --git a/chromium/third_party/blink/renderer/modules/webaudio/audio_buffer.cc b/chromium/third_party/blink/renderer/modules/webaudio/audio_buffer.cc
index e3133cde0da..071c62f5946 100644
--- a/chromium/third_party/blink/renderer/modules/webaudio/audio_buffer.cc
+++ b/chromium/third_party/blink/renderer/modules/webaudio/audio_buffer.cc
@@ -288,7 +288,7 @@ void AudioBuffer::copyFromChannel(NotShared<DOMFloat32Array> destination,
   DCHECK(src);
   DCHECK(dst);
 
-  memcpy(dst, src + start_in_channel, count * sizeof(*src));
+  memmove(dst, src + start_in_channel, count * sizeof(*src));
 }
 
 void AudioBuffer::copyToChannel(NotShared<DOMFloat32Array> source,
@@ -336,7 +336,7 @@ void AudioBuffer::copyToChannel(NotShared<DOMFloat32Array> source,
   DCHECK(src);
   DCHECK(dst);
 
-  memcpy(dst + start_in_channel, src, count * sizeof(*dst));
+  memmove(dst + start_in_channel, src, count * sizeof(*dst));
 }
 
 void AudioBuffer::Zero() {