Commit 79e685e2 authored by ahaas's avatar ahaas Committed by Commit bot

[wasm] Validate the index of set local in AnalyzeLoopAssignment

BUG=chromium:642867
R=titzer@chromium.org
TEST=loop-assignment-analysis-unittest.cc:regress_642867

Review-Url: https://codereview.chromium.org/2290233008
Cr-Commit-Position: refs/heads/master@{#39089}
parent 7711b1a1
...@@ -1851,7 +1851,7 @@ class WasmFullDecoder : public WasmDecoder { ...@@ -1851,7 +1851,7 @@ class WasmFullDecoder : public WasmDecoder {
case kExprSetLocal: { case kExprSetLocal: {
LocalIndexOperand operand(this, pc); LocalIndexOperand operand(this, pc);
if (assigned->length() > 0 && if (assigned->length() > 0 &&
static_cast<int>(operand.index) < assigned->length()) { operand.index < static_cast<uint32_t>(assigned->length())) {
// Unverified code might have an out-of-bounds index. // Unverified code might have an out-of-bounds index.
assigned->Add(operand.index); assigned->Add(operand.index);
} }
......
...@@ -187,6 +187,14 @@ TEST_F(WasmLoopAssignmentAnalyzerTest, Malformed) { ...@@ -187,6 +187,14 @@ TEST_F(WasmLoopAssignmentAnalyzerTest, Malformed) {
CHECK_NULL(assigned); CHECK_NULL(assigned);
} }
TEST_F(WasmLoopAssignmentAnalyzerTest, regress_642867) {
static const byte code[] = {
WASM_LOOP(WASM_ZERO, kExprSetLocal, 0xfa, 0xff, 0xff, 0xff,
0x0f)}; // local index LEB128 0xfffffffa
// Just make sure that the analysis does not crash.
Analyze(code, code + arraysize(code));
}
} // namespace wasm } // namespace wasm
} // namespace internal } // namespace internal
} // namespace v8 } // namespace v8
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment