[wasm] Fix sign error in ImportTable

The cast from uint32_t to int caused an integer overflow that let a bounds check succeed that should have failed. R=jkummerow@chromium.org Bug: chromium:1114005 Change-Id: Iea1af70af300be54c2a33d7dd10b3faa34d56eaa Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2339472Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#69289}

[wasm] Fix sign error in ImportTable
The cast from uint32_t to int caused an integer overflow that let a bounds check succeed that should have failed. R=jkummerow@chromium.org Bug: chromium:1114005 Change-Id: Iea1af70af300be54c2a33d7dd10b3faa34d56eaa Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2339472Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#69289}
13d252af · Andreas Haas · Commit Bot · 7afba5ac · 13d252af · 13d252af
Commit 13d252af authored Aug 07, 2020 by Andreas Haas Committed by Commit Bot Aug 07, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 5 deletions

module-instantiate.cc src/wasm/module-instantiate.cc +6 -5

regress-1114005.js test/mjsunit/regress/wasm/regress-1114005.js +11 -0

No files found.
--- a/src/wasm/module-instantiate.cc
+++ b/src/wasm/module-instantiate.cc
@@ -1116,22 +1116,23 @@ bool InstanceBuilder::ProcessImportedTable(Handle<WasmInstanceObject> instance,
  auto table_object = Handle<WasmTableObject>::cast(value);
-  int imported_table_size = table_object->current_length();
+  uint32_t imported_table_size =
-  if (imported_table_size < static_cast<int>(table.initial_size)) {
+      static_cast<uint32_t>(table_object->current_length());
-    thrower_->LinkError("table import %d is smaller than initial %d, got %u",
+  if (imported_table_size < table.initial_size) {
+    thrower_->LinkError("table import %d is smaller than initial %u, got %u",
                        import_index, table.initial_size, imported_table_size);
    return false;
  }
  if (table.has_maximum_size) {
    if (table_object->maximum_length().IsUndefined(isolate_)) {
-      thrower_->LinkError("table import %d has no maximum length, expected %d",
+      thrower_->LinkError("table import %d has no maximum length, expected %u",
                          import_index, table.maximum_size);
      return false;
    }
    int64_t imported_maximum_size = table_object->maximum_length().Number();
    if (imported_maximum_size < 0) {
-      thrower_->LinkError("table import %d has no maximum length, expected %d",
+      thrower_->LinkError("table import %d has no maximum length, expected %u",
                          import_index, table.maximum_size);
      return false;
    }

--- a/test/mjsunit/regress/wasm/regress-1114005.js
+++ b/test/mjsunit/regress/wasm/regress-1114005.js
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+load("test/mjsunit/wasm/wasm-module-builder.js");
+const builder = new WasmModuleBuilder();
+let table = new WebAssembly.Table({element: 'anyfunc', initial: 2});
+// Big size that causes an int32 overflow.
+builder.addImportedTable('m', 'table', 4000000000);
+assertThrows(() => builder.instantiate({m: {table: table}}), WebAssembly.LinkError);