Commit a1503030 authored by Andreas Haas's avatar Andreas Haas Committed by Commit Bot

[wasm] Check that a function body exists before verifying it.

R=clemensh@chromium.org
BUG=chromium:737069

Change-Id: Ic651c8e84eb8d3e1181355cf44aadf4c4009245b
Reviewed-on: https://chromium-review.googlesource.com/552145
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: 's avatarClemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46285}
parent 36b33251
...@@ -670,14 +670,14 @@ class ModuleDecoder : public Decoder { ...@@ -670,14 +670,14 @@ class ModuleDecoder : public Decoder {
&module_->functions[i + module_->num_imported_functions]; &module_->functions[i + module_->num_imported_functions];
uint32_t size = consume_u32v("body size"); uint32_t size = consume_u32v("body size");
function->code = {pc_offset(), size}; function->code = {pc_offset(), size};
if (verify_functions) { consume_bytes(size, "function body");
if (ok() && verify_functions) {
ModuleBytesEnv module_env(module_.get(), nullptr, ModuleBytesEnv module_env(module_.get(), nullptr,
ModuleWireBytes(start_, end_)); ModuleWireBytes(start_, end_));
VerifyFunctionBody(module_->signature_zone->allocator(), VerifyFunctionBody(module_->signature_zone->allocator(),
i + module_->num_imported_functions, &module_env, i + module_->num_imported_functions, &module_env,
function); function);
} }
consume_bytes(size, "function body");
} }
} }
......
// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-wasm
load("test/mjsunit/wasm/wasm-constants.js");
load("test/mjsunit/wasm/wasm-module-builder.js");
let binary = new Binary;
binary.emit_header();
binary.emit_section(kTypeSectionCode, section => {
section.emit_u32v(1); // number of types
section.emit_u8(kWasmFunctionTypeForm);
section.emit_u32v(0); // number of parameters
section.emit_u32v(0); // number of returns
});
binary.emit_section(kFunctionSectionCode, section => {
section.emit_u32v(1); // number of functions
section.emit_u32v(0); // type index
});
binary.emit_u8(kCodeSectionCode);
binary.emit_u8(0x02); // section length
binary.emit_u8(0x01); // number of functions
binary.emit_u8(0x40); // function body size
// Function body is missing here.
let buffer = new ArrayBuffer(binary.length);
let view = new Uint8Array(buffer);
for (let i = 0; i < binary.length; i++) {
view[i] = binary[i] | 0;
}
WebAssembly.validate(buffer);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment