Commit 1a5f8fa5 authored by ahaas's avatar ahaas Committed by Commit bot

[wasm] Validate the length of strings before validating the string.

BUG=chromium:644182
R=titzer@chromium.org
TEST=module-decoder-unittest.cc:ExportNameWithInvalidStringLength

Review-Url: https://codereview.chromium.org/2310023002
Cr-Commit-Position: refs/heads/master@{#39199}
parent 17dbaff9
...@@ -587,10 +587,13 @@ class ModuleDecoder : public Decoder { ...@@ -587,10 +587,13 @@ class ModuleDecoder : public Decoder {
*length = consume_u32v("string length"); *length = consume_u32v("string length");
uint32_t offset = pc_offset(); uint32_t offset = pc_offset();
TRACE(" +%u %-20s: (%u bytes)\n", offset, "string", *length); TRACE(" +%u %-20s: (%u bytes)\n", offset, "string", *length);
if (validate_utf8 && !unibrow::Utf8::Validate(pc_, *length)) { const byte* string_start = pc_;
error(pc_, "no valid UTF-8 string"); // Consume bytes before validation to guarantee that the string is not oob.
}
consume_bytes(*length); consume_bytes(*length);
if (ok() && validate_utf8 &&
!unibrow::Utf8::Validate(string_start, *length)) {
error(string_start, "no valid UTF-8 string");
}
return offset; return offset;
} }
......
...@@ -1023,6 +1023,20 @@ TEST_F(WasmModuleVerifyTest, ExportTableOne) { ...@@ -1023,6 +1023,20 @@ TEST_F(WasmModuleVerifyTest, ExportTableOne) {
if (result.val) delete result.val; if (result.val) delete result.val;
} }
TEST_F(WasmModuleVerifyTest, ExportNameWithInvalidStringLength) {
static const byte data[] = {// signatures
SIGNATURES_SECTION_VOID_VOID,
ONE_EMPTY_FUNCTION,
SECTION(EXPORT_TABLE, 12),
1, // exports
FUNC_INDEX(0), // --
NAME_LENGTH(84), // invalid string length
'e', // --
ONE_EMPTY_BODY};
EXPECT_FAILURE(data);
}
TEST_F(WasmModuleVerifyTest, ExportTableTwo) { TEST_F(WasmModuleVerifyTest, ExportTableTwo) {
static const byte data[] = {// signatures static const byte data[] = {// signatures
SIGNATURES_SECTION_VOID_VOID, SIGNATURES_SECTION_VOID_VOID,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment