Commit 9d7b4562 authored by Andreas Haas's avatar Andreas Haas Committed by Commit Bot

[wasm] Check for invalid function index in init expr

R=clemensh@chromium.org

Bug: chromium:1003241
Change-Id: I2c37404746bd4807040c787490fc7851ea6988d6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1807359Reviewed-by: 's avatarAndreas Haas <ahaas@chromium.org>
Reviewed-by: 's avatarClemens Hammacher <clemensh@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63825}
parent f5a84023
......@@ -1543,6 +1543,10 @@ class ModuleDecoderImpl : public Decoder {
case kExprRefFunc: {
if (enabled_features_.anyref) {
FunctionIndexImmediate<Decoder::kValidate> imm(this, pc() - 1);
if (module->functions.size() <= imm.index) {
errorf(pc() - 1, "invalid function index: %u", imm.index);
break;
}
expr.kind = WasmInitExpr::kRefFuncConst;
expr.val.function_index = imm.index;
len = imm.length;
......
......@@ -343,6 +343,22 @@ TEST_F(WasmModuleVerifyTest, FuncRefGlobal) {
}
}
TEST_F(WasmModuleVerifyTest, InvalidFuncRefGlobal) {
WASM_FEATURE_SCOPE(anyref);
static const byte data[] = {
// sig#0 ---------------------------------------------------------------
SIGNATURES_SECTION_VOID_VOID,
// funcs ---------------------------------------------------------------
TWO_EMPTY_FUNCTIONS(SIG_INDEX(0)),
SECTION(Global, // --
ENTRY_COUNT(1), // --
kLocalFuncRef, // local type
0, // immutable
WASM_INIT_EXPR_REF_FUNC(7)), // invalid function index
TWO_EMPTY_BODIES};
EXPECT_FAILURE(data);
}
TEST_F(WasmModuleVerifyTest, AnyRefGlobalWithGlobalInit) {
WASM_FEATURE_SCOPE(anyref);
static const byte data[] = {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment