[wasm] Handle invalid function index in the elements section correctly

An invalid I32V value as index could be used to get a valid WasmFunction. R=clemensh@chromium.org Bug: chromium:735887 Change-Id: I5fbfa01fc3300d86a4a2ba9bcbb86fc02f231ef9 Reviewed-on: https://chromium-review.googlesource.com/561536Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#46504}

[wasm] Handle invalid function index in the elements section correctly
An invalid I32V value as index could be used to get a valid WasmFunction. R=clemensh@chromium.org Bug: chromium:735887 Change-Id: I5fbfa01fc3300d86a4a2ba9bcbb86fc02f231ef9 Reviewed-on: https://chromium-review.googlesource.com/561536Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#46504}
b2133cd6 · Andreas Haas · Commit Bot · 5b11996a · b2133cd6 · b2133cd6
Commit b2133cd6 authored Jul 06, 2017 by Andreas Haas Committed by Commit Bot Jul 10, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 3 deletions

module-decoder.cc src/wasm/module-decoder.cc +3 -3

module-decoder-unittest.cc test/unittests/wasm/module-decoder-unittest.cc +20 -0

No files found.
--- a/src/wasm/module-decoder.cc
+++ b/src/wasm/module-decoder.cc
@@ -646,11 +646,11 @@ class ModuleDecoder : public Decoder {
      std::vector<uint32_t> vector;
      module_->table_inits.push_back({table_index, offset, vector});
      WasmTableInit* init = &module_->table_inits.back();
-      for (uint32_t j = 0; ok() && j < num_elem; j++) {
+      for (uint32_t j = 0; j < num_elem; j++) {
        WasmFunction* func = nullptr;
        uint32_t index = consume_func_index(module_.get(), &func);
-        DCHECK_EQ(func != nullptr, ok());
-        if (!func) break;
+        DCHECK_IMPLIES(ok(), func != nullptr);
+        if (!ok()) break;
        DCHECK_EQ(index, func->func_index);
        init->entries.push_back(index);
        // Canonicalize signature indices during decoding.

--- a/test/unittests/wasm/module-decoder-unittest.cc
+++ b/test/unittests/wasm/module-decoder-unittest.cc
@@ -660,6 +660,26 @@ TEST_F(WasmModuleVerifyTest, OneIndirectFunction) {
  }
 }

+TEST_F(WasmModuleVerifyTest, Regression_735887) {
+  // Test with an invalid function index in the element section.
+  static const byte data[] = {
+      // sig#0 ---------------------------------------------------------------
+      SIGNATURES_SECTION_VOID_VOID,
+      // funcs ---------------------------------------------------------------
+      ONE_EMPTY_FUNCTION,
+      // table declaration ---------------------------------------------------
+      SECTION(Table, 4), ENTRY_COUNT(1), kWasmAnyFunctionTypeForm, 0, 1,
+      // elements ------------------------------------------------------------
+      SECTION(Element, 7),
+      1,  // entry count
+      TABLE_INDEX(0), WASM_INIT_EXPR_I32V_1(0),
+      1,    // elements count
+      0x9a  // invalid I32V as function index
+  };
+
+  EXPECT_FAILURE(data);
+}
+
 TEST_F(WasmModuleVerifyTest, OneIndirectFunction_one_entry) {
  static const byte data[] = {
      // sig#0 ---------------------------------------------------------------