Commit 8592c450 authored by jgruber's avatar jgruber Committed by Commit bot

Fix an OOB read through CallSite.GetFunctionName

The func_index parameter passed to GetWasmFunctionNameFromTable can be
user-controlled through the CallSite constructor. Catch out-of-bounds
reads and return null as the function name in such cases.

This applies to the 5.3 branch and will be reverted on TOT in a bit.

BUG=632965

Review-Url: https://codereview.chromium.org/2199333002
Cr-Commit-Position: refs/heads/master@{#38276}
parent 26b30e40
......@@ -54,7 +54,7 @@ MaybeHandle<String> GetWasmFunctionNameFromTable(
uint32_t num_funcs = static_cast<uint32_t>(func_names_array->get_int(0));
DCHECK(static_cast<int>(num_funcs) >= 0);
Factory* factory = func_names_array->GetIsolate()->factory();
DCHECK(func_index < num_funcs);
if (func_index >= num_funcs) return {};
int offset = func_names_array->get_int(func_index + 1);
if (offset < 0) return {};
int next_offset = func_index == num_funcs - 1
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment