Commit 46813711 authored by Ng Zhi An's avatar Ng Zhi An Committed by Commit Bot

Validate reading prefixed opcodes

If module bytes end in a prefix like 0xfc (numeric prefix), we read out
of bounds (pc + 1). So, if validate flag is set, check the length.

Bug: chromium:1073553
Change-Id: Ia9771419d01f2315723d19dd96630172b5a7a1f5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2161404Reviewed-by: 's avatarClemens Backes <clemensb@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67370}
parent a7a88149
......@@ -148,8 +148,15 @@ class Decoder {
errorf(pc, "Invalid SIMD opcode %d", index);
}
} else {
index = *(pc + 1);
*length = 1;
if (!validate || validate_size(pc, 2, "expected 2 bytes")) {
DCHECK(validate_size(pc, 2, "expected 2 bytes"));
index = *(pc + 1);
*length = 1;
} else {
// If kValidate and size validation fails.
index = 0;
*length = 0;
}
}
return static_cast<WasmOpcode>((*pc) << 8 | index);
}
......
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
load('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
builder.addMemory(1);
builder.addFunction(undefined, kSig_v_i) .addBodyWithEnd([
kExprI32Const, 1, kExprMemoryGrow, kMemoryZero, kNumericPrefix]);
// Intentionally add just a numeric opcode prefix without the index byte.
const b = builder.toBuffer();
WebAssembly.compile(b);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment