Skip to content

V
V8
Commit b9c269a5 authored by Ben Smith's avatar Ben Smith Committed by Commit Bot
Browse files
Options

[wasm] Check decoder in {memory,table}.init 

The MemoryInitImmediate and TableInitImmediate read a Memory/Table
index, followed by a segment index. If reading the first index fails, we
need to stop reading, or the decoder will read past the end.

Bug: chromium:907324
Change-Id: I3eb46c08d03e3b2e44ed4081d307b32c799abcec
Reviewed-on: https://chromium-review.googlesource.com/c/1351502
Commit-Queue: Ben Smith <binji@chromium.org>
Reviewed-by: 's avatarAndreas Haas <ahaas@chromium.org>
Reviewed-by: 's avatarClemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57889}
parent b115752c
Hide whitespace changes
Inline Side-by-side
Showing with 38 additions and 8 deletions
src/wasm/function-body-decoder-impl.h
View file @ b9c269a5
......@@ -462,14 +462,16 @@ struct Simd8x16ShuffleImmediate {
template <Decoder::ValidateFlag validate>
struct MemoryInitImmediate {
MemoryIndexImmediate<validate> memory;
uint32_t data_segment_index;
unsigned length;
uint32_t data_segment_index = 0;
unsigned length = 0;
inline MemoryInitImmediate(Decoder* decoder, const byte* pc)
: memory(decoder, pc + 1) {
if (!VALIDATE(decoder->ok())) return;
uint32_t len = 0;
data_segment_index = decoder->read_i32v<validate>(
pc + 2 + memory.length, &length, "data segment index");
length += memory.length;
pc + 2 + memory.length, &len, "data segment index");
length = memory.length + len;
}
};
......@@ -486,14 +488,16 @@ struct MemoryDropImmediate {
template <Decoder::ValidateFlag validate>
struct TableInitImmediate {
TableIndexImmediate<validate> table;
uint32_t elem_segment_index;
unsigned length;
uint32_t elem_segment_index = 0;
unsigned length = 0;
inline TableInitImmediate(Decoder* decoder, const byte* pc)
: table(decoder, pc + 1) {
if (!VALIDATE(decoder->ok())) return;
uint32_t len = 0;
elem_segment_index = decoder->read_i32v<validate>(
pc + 2 + table.length, &length, "elem segment index");
length += table.length;
pc + 2 + table.length, &len, "elem segment index");
length = table.length + len;
}
};
......
test/unittests/wasm/function-body-decoder-unittest.cc
View file @ b9c269a5
......@@ -2744,6 +2744,19 @@ TEST_F(FunctionBodyDecoderTest, MemoryInit) {
// TODO(binji): validate segment index.
}
TEST_F(FunctionBodyDecoderTest, MemoryInitInvalid) {
TestModuleBuilder builder;
builder.InitializeMemory();
module = builder.module();
WASM_FEATURE_SCOPE(bulk_memory);
byte code[] = {WASM_MEMORY_INIT(0, WASM_ZERO, WASM_ZERO, WASM_ZERO),
WASM_END};
for (size_t i = 0; i <= arraysize(code); ++i) {
Verify(i == arraysize(code), sigs.v_v(), code, code + i, kOmitEnd);
}
}
TEST_F(FunctionBodyDecoderTest, MemoryDrop) {
EXPECT_FAILURE(v_v, WASM_MEMORY_DROP(0));
WASM_FEATURE_SCOPE(bulk_memory);
......@@ -2790,6 +2803,19 @@ TEST_F(FunctionBodyDecoderTest, TableInit) {
EXPECT_FAILURE(v_v, WASM_TABLE_INIT(1, WASM_ZERO, WASM_ZERO, WASM_ZERO));
}
TEST_F(FunctionBodyDecoderTest, TableInitInvalid) {
TestModuleBuilder builder;
builder.InitializeTable();
builder.AddPassiveElementSegment();
module = builder.module();
WASM_FEATURE_SCOPE(bulk_memory);
byte code[] = {WASM_TABLE_INIT(0, WASM_ZERO, WASM_ZERO, WASM_ZERO), WASM_END};
for (size_t i = 0; i <= arraysize(code); ++i) {
Verify(i == arraysize(code), sigs.v_v(), code, code + i, kOmitEnd);
}
}
TEST_F(FunctionBodyDecoderTest, TableDrop) {
TestModuleBuilder builder;
builder.InitializeTable();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment