[inspector] Set limit for Wasm wire byte transfer via CDP.

The `Debugger.getScriptSource()` and `Debugger.getWasmBytecode()` methods in the CDP return Wasm wire bytes as protocol::Binary, which is send as Base64-encoded JSON string in the communication to the DevTools front-end, and hence leads to either crashing the renderer that is being debugged or the renderer that's running the front-end if we allow arbitrarily huge Wasm byte sequences here. This CL introduces a limit, based on the maximum allowed string length, to avoid the crash and instead signal a proper error to the DevTools front-end. Bug: chromium:1099680 Change-Id: I356d617301d17a4012f7f845773cf14e6ad1e4a7 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2270174 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Yang Guo <yangguo@chromium.org> Auto-Submit: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/master@{#68560}

[inspector] Set limit for Wasm wire byte transfer via CDP.
The `Debugger.getScriptSource()` and `Debugger.getWasmBytecode()` methods in the CDP return Wasm wire bytes as protocol::Binary, which is send as Base64-encoded JSON string in the communication to the DevTools front-end, and hence leads to either crashing the renderer that is being debugged or the renderer that's running the front-end if we allow arbitrarily huge Wasm byte sequences here. This CL introduces a limit, based on the maximum allowed string length, to avoid the crash and instead signal a proper error to the DevTools front-end. Bug: chromium:1099680 Change-Id: I356d617301d17a4012f7f845773cf14e6ad1e4a7 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2270174 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Yang Guo <yangguo@chromium.org> Auto-Submit: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/master@{#68560}
7842920a · Benedikt Meurer · Commit Bot · 55ddbaa0 · 7842920a
Commit 7842920a authored Jun 26, 2020 by Benedikt Meurer Committed by Commit Bot Jun 26, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 0 deletions

v8-debugger-agent-impl.cc src/inspector/v8-debugger-agent-impl.cc +17 -0

No files found.
--- a/src/inspector/v8-debugger-agent-impl.cc
+++ b/src/inspector/v8-debugger-agent-impl.cc
@@ -63,6 +63,17 @@ static const char kDebuggerNotPaused[] =
 static const size_t kBreakpointHintMaxLength = 128;
 static const intptr_t kBreakpointHintMaxSearchOffset = 80 * 10;
+// TODO(1099680): getScriptSource and getWasmBytecode return Wasm wire bytes
+// as protocol::Binary, which is encoded as JSON string in the communication
+// to the DevTools front-end and hence leads to either crashing the renderer
+// that is being debugged or the renderer that's running the front-end if we
+// allow arbitrarily big Wasm byte sequences here. Ideally we would find a
+// different way to transfer the wire bytes (middle- to long-term), but as a
+// short-term solution, we should at least not crash.
+static const size_t kWasmBytecodeMaxLength = (v8::String::kMaxLength / 4) * 3;
+static const char kWasmBytecodeExceedsTransferLimit[] =
+    "WebAssembly bytecode exceeds the transfer limit";
 namespace {
 enum class BreakpointType {
@@ -978,6 +989,9 @@ Response V8DebuggerAgentImpl::getScriptSource(
  *scriptSource = it->second->source(0);
  v8::MemorySpan<const uint8_t> span;
  if (it->second->wasmBytecode().To(&span)) {
+    if (span.size() > kWasmBytecodeMaxLength) {
+      return Response::ServerError(kWasmBytecodeExceedsTransferLimit);
+    }
    *bytecode = protocol::Binary::fromSpan(span.data(), span.size());
  }
  return Response::Success();
@@ -993,6 +1007,9 @@ Response V8DebuggerAgentImpl::getWasmBytecode(const String16& scriptId,
  if (!it->second->wasmBytecode().To(&span))
    return Response::ServerError("Script with id " + scriptId.utf8() +
                                 " is not WebAssembly");
+  if (span.size() > kWasmBytecodeMaxLength) {
+    return Response::ServerError(kWasmBytecodeExceedsTransferLimit);
+  }
  *bytecode = protocol::Binary::fromSpan(span.data(), span.size());
  return Response::Success();
 }