[wasm] Check the size of a function body before storing it

We stored the size of a function body before we check that these values are valid. This caused a failing DCHECK in the constructor of WireBytesRef which checked for integer overflows. With this CL we check the size of the function body before we create the WireBytesRef. R=clemensh@chromium.org Bug: chromium:738097 Change-Id: I18f8b628c1499aae9c8e9340ea73c87f19e6f1d7 Reviewed-on: https://chromium-review.googlesource.com/561000 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#46442}

[wasm] Check the size of a function body before storing it
We stored the size of a function body before we check that these values are valid. This caused a failing DCHECK in the constructor of WireBytesRef which checked for integer overflows. With this CL we check the size of the function body before we create the WireBytesRef. R=clemensh@chromium.org Bug: chromium:738097 Change-Id: I18f8b628c1499aae9c8e9340ea73c87f19e6f1d7 Reviewed-on: https://chromium-review.googlesource.com/561000 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#46442}
6c8aed76 · Andreas Haas · Commit Bot · b9ee0657 · 6c8aed76 · 6c8aed76
Commit 6c8aed76 authored Jul 06, 2017 by Andreas Haas Committed by Commit Bot Jul 06, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 3 deletions

module-decoder.cc src/wasm/module-decoder.cc +5 -3

module-decoder-unittest.cc test/unittests/wasm/module-decoder-unittest.cc +13 -0

No files found.
--- a/src/wasm/module-decoder.cc
+++ b/src/wasm/module-decoder.cc
@@ -665,13 +665,15 @@ class ModuleDecoder : public Decoder {
      errorf(pos, "function body count %u mismatch (%u expected)",
             functions_count, module_->num_declared_functions);
    }
-    for (uint32_t i = 0; ok() && i < functions_count; ++i) {
+    for (uint32_t i = 0; i < functions_count; ++i) {
      WasmFunction* function =
          &module_->functions[i + module_->num_imported_functions];
      uint32_t size = consume_u32v("body size");
-      function->code = {pc_offset(), size};
+      uint32_t offset = pc_offset();
      consume_bytes(size, "function body");
-      if (ok() && verify_functions) {
+      if (failed()) break;
+      function->code = {offset, size};
+      if (verify_functions) {
        ModuleBytesEnv module_env(module_.get(), nullptr,
                                  ModuleWireBytes(start_, end_));
        VerifyFunctionBody(module_->signature_zone->allocator(),

--- a/test/unittests/wasm/module-decoder-unittest.cc
+++ b/test/unittests/wasm/module-decoder-unittest.cc
@@ -1347,6 +1347,19 @@ TEST_F(WasmModuleVerifyTest, Regression_648070) {
  EXPECT_FAILURE(data);
 }

+TEST_F(WasmModuleVerifyTest, Regression_738097) {
+  // The function body size caused an integer overflow in the module decoder.
+  static const byte data[] = {
+      SIGNATURES_SECTION(1, SIG_ENTRY_v_v),  // --
+      FUNCTION_SIGNATURES_SECTION(1, 0),     // --
+      SECTION(Code, 1 + 5 + 1),              // --
+      1,                                     // --
+      U32V_5(0xffffffff),                    // function size,
+      0                                      // No real body
+  };
+  EXPECT_FAILURE(data);
+}
+
 TEST_F(WasmModuleVerifyTest, FunctionBodies_empty) {
  static const byte data[] = {
      EMPTY_SIGNATURES_SECTION,           // --