[wasm] Validate prefixed opcode reads

Identify validation fails to read the index of prefixed opcodes, and not continue to decode the next bytes. Change-Id: I2c737af55615ba69ba0c5f5adf18a06c6cdb951a Bug: chromium:905815 Reviewed-on: https://chromium-review.googlesource.com/c/1390927 Commit-Queue: Deepti Gandluri <gdeepti@chromium.org> Reviewed-by: Bill Budge <bbudge@chromium.org> Cr-Commit-Position: refs/heads/master@{#58485}

[wasm] Validate prefixed opcode reads
Identify validation fails to read the index of prefixed opcodes, and not continue to decode the next bytes. Change-Id: I2c737af55615ba69ba0c5f5adf18a06c6cdb951a Bug: chromium:905815 Reviewed-on: https://chromium-review.googlesource.com/c/1390927 Commit-Queue: Deepti Gandluri <gdeepti@chromium.org> Reviewed-by: Bill Budge <bbudge@chromium.org> Cr-Commit-Position: refs/heads/master@{#58485}
29c1c5d6 · Deepti Gandluri · Commit Bot · 7ca8acd0 · 29c1c5d6 · 29c1c5d6
Commit 29c1c5d6 authored Dec 28, 2018 by Deepti Gandluri Committed by Commit Bot Dec 28, 2018
Showing with 34 additions and 0 deletions

function-body-decoder-impl.h src/wasm/function-body-decoder-impl.h +3 -0

regress-905815.js test/mjsunit/regress/wasm/regress-905815.js +27 -0

wasm-constants.js test/mjsunit/wasm/wasm-constants.js +4 -0

No files found.
--- a/src/wasm/function-body-decoder-impl.h
+++ b/src/wasm/function-body-decoder-impl.h
@@ -1156,6 +1156,7 @@ class WasmDecoder : public Decoder {
      case kNumericPrefix: {
        byte numeric_index =
            decoder->read_u8<validate>(pc + 1, "numeric_index");
+        if (!VALIDATE(decoder->ok())) return 2;
        WasmOpcode opcode =
            static_cast<WasmOpcode>(kNumericPrefix << 8 | numeric_index);
        switch (opcode) {
@@ -1200,6 +1201,7 @@ class WasmDecoder : public Decoder {
      }
      case kSimdPrefix: {
        byte simd_index = decoder->read_u8<validate>(pc + 1, "simd_index");
+        if (!VALIDATE(decoder->ok())) return 2;
        WasmOpcode opcode =
            static_cast<WasmOpcode>(kSimdPrefix << 8 | simd_index);
        switch (opcode) {
@@ -1228,6 +1230,7 @@ class WasmDecoder : public Decoder {
      }
      case kAtomicPrefix: {
        byte atomic_index = decoder->read_u8<validate>(pc + 1, "atomic_index");
+        if (!VALIDATE(decoder->ok())) return 2;
        WasmOpcode opcode =
            static_cast<WasmOpcode>(kAtomicPrefix << 8 | atomic_index);
        switch (opcode) {

--- a/test/mjsunit/regress/wasm/regress-905815.js
+++ b/test/mjsunit/regress/wasm/regress-905815.js
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+load('test/mjsunit/wasm/wasm-constants.js');
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+(function() {
+  const builder = new WasmModuleBuilder();
+  builder.addType(makeSig([], []));
+  builder.addType(makeSig([kWasmI32], [kWasmI32]));
+  builder.addFunction(undefined, 0 /* sig */)
+    .addBodyWithEnd([
+        kExprEnd,   // @1
+    ]);
+  builder.addFunction(undefined, 1 /* sig */)
+    .addLocals({i32_count: 65})
+    .addBodyWithEnd([
+        kExprLoop, kWasmStmt,   // @3
+        kSimdPrefix,
+        kExprF32x4Min,
+        kExprI64UConvertI32,
+        kExprI64RemS,
+        kExprUnreachable,
+        kExprLoop, 0x02,   // @10
+    ]);
+})
--- a/test/mjsunit/wasm/wasm-constants.js
+++ b/test/mjsunit/wasm/wasm-constants.js
@@ -360,6 +360,7 @@ let kExprI64SExtendI32 = 0xc4;

 // Prefix opcodes
 let kNumericPrefix = 0xfc;
+let kSimdPrefix = 0xfd;
 let kAtomicPrefix = 0xfe;

 // Numeric opcodes.
@@ -440,6 +441,9 @@ let kExprI64AtomicCompareExchange8U = 0x4c;
 let kExprI64AtomicCompareExchange16U = 0x4d;
 let kExprI64AtomicCompareExchange32U = 0x4e;

+// Simd opcodes.
+let kExprF32x4Min = 0x9e;
+
 let kTrapUnreachable          = 0;
 let kTrapMemOutOfBounds       = 1;
 let kTrapDivByZero            = 2;