[wasm] Bound the allowed number of locals.

This CL fixes the first bug I found with the new fuzzing. The problem is that the number of locals is unbounded. This CL bounds the number of locals of one type with 8000000, an arbitrary number. R=titzer@chromium.org BUG= Review-Url: https://codereview.chromium.org/2271803004 Cr-Commit-Position: refs/heads/master@{#38936}

[wasm] Bound the allowed number of locals.
This CL fixes the first bug I found with the new fuzzing. The problem is that the number of locals is unbounded. This CL bounds the number of locals of one type with 8000000, an arbitrary number. R=titzer@chromium.org BUG= Review-Url: https://codereview.chromium.org/2271803004 Cr-Commit-Position: refs/heads/master@{#38936}
71f93e60 · ahaas · Commit bot · e53d2ace · 71f93e60 · 71f93e60
Commit 71f93e60 authored Aug 26, 2016 by ahaas Committed by Commit bot Aug 26, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 28 additions and 1 deletion

ast-decoder.cc src/wasm/ast-decoder.cc +5 -0

ast-decoder.h src/wasm/ast-decoder.h +2 -0

ast-decoder-unittest.cc test/unittests/wasm/ast-decoder-unittest.cc +21 -1

No files found.
--- a/src/wasm/ast-decoder.cc
+++ b/src/wasm/ast-decoder.cc
@@ -661,8 +661,13 @@ class WasmFullDecoder : public WasmDecoder {
    }
    // Decode local declarations, if any.
    uint32_t entries = consume_u32v("local decls count");
+    TRACE("local decls count: %u\n", entries);
    while (entries-- > 0 && pc_ < limit_) {
      uint32_t count = consume_u32v("local count");
+      if (count > kMaxNumWasmLocals) {
+        error(pc_ - 1, "local count too large");
+        return;
+      }
      byte code = consume_u8("local type");
      LocalType type;
      switch (code) {

--- a/src/wasm/ast-decoder.h
+++ b/src/wasm/ast-decoder.h
@@ -21,6 +21,8 @@ class WasmGraphBuilder;

 namespace wasm {

+const uint32_t kMaxNumWasmLocals = 8000000;
+
 // Helpers for decoding different kinds of operands which follow bytecodes.
 struct LocalIndexOperand {
  uint32_t index;

--- a/test/unittests/wasm/ast-decoder-unittest.cc
+++ b/test/unittests/wasm/ast-decoder-unittest.cc
@@ -238,6 +238,11 @@ TEST_F(AstDecoderTest, GetLocal0_local) {
  EXPECT_VERIFIES(sigs.i_v(), kCodeGetLocal0);
 }

+TEST_F(AstDecoderTest, TooManyLocals) {
+  AddLocals(kAstI32, 4034986500);
+  EXPECT_FAILURE(sigs.i_v(), kCodeGetLocal0);
+}
+
 TEST_F(AstDecoderTest, GetLocal0_param_n) {
  FunctionSig* array[] = {sigs.i_i(), sigs.i_ii(), sigs.i_iii()};

@@ -269,8 +274,23 @@ TEST_F(AstDecoderTest, GetLocal_off_end) {
  EXPECT_FAILURE(sigs.i_i(), code);
 }

+TEST_F(AstDecoderTest, NumLocalBelowLimit) {
+  AddLocals(kAstI32, kMaxNumWasmLocals - 1);
+  EXPECT_VERIFIES_INLINE(sigs.v_v(), WASM_NOP);
+}
+
+TEST_F(AstDecoderTest, NumLocalAtLimit) {
+  AddLocals(kAstI32, kMaxNumWasmLocals);
+  EXPECT_VERIFIES_INLINE(sigs.v_v(), WASM_NOP);
+}
+
+TEST_F(AstDecoderTest, NumLocalAboveLimit) {
+  AddLocals(kAstI32, kMaxNumWasmLocals + 1);
+  EXPECT_FAILURE_INLINE(sigs.v_v(), WASM_NOP);
+}
+
 TEST_F(AstDecoderTest, GetLocal_varint) {
-  const int kMaxLocals = 8000000;
+  const int kMaxLocals = kMaxNumWasmLocals;
  AddLocals(kAstI32, kMaxLocals);

  for (int index = 0; index < kMaxLocals; index = index * 11 + 5) {