[wasm][bug] Check that type indexes are within limits in read_value_type

Failing to do so results in an error when generating the respective ValueType, since the index has to be encoded in 24 bits. Bug: v8:7748, chromium:1080444 Change-Id: Ifd1ce9744388b65f91dbd9eaeb497726c6cd207e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2214823 Commit-Queue: Manos Koukoutos <manoskouk@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#67952}

[wasm][bug] Check that type indexes are within limits in read_value_type
Failing to do so results in an error when generating the respective ValueType, since the index has to be encoded in 24 bits. Bug: v8:7748, chromium:1080444 Change-Id: Ifd1ce9744388b65f91dbd9eaeb497726c6cd207e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2214823 Commit-Queue: Manos Koukoutos <manoskouk@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#67952}
be6c7f4a · Manos Koukoutos · Commit Bot · c3112fc2 · be6c7f4a
Commit be6c7f4a authored May 25, 2020 by Manos Koukoutos Committed by Commit Bot May 25, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 2 deletions

function-body-decoder-impl.h src/wasm/function-body-decoder-impl.h +18 -2

No files found.
--- a/src/wasm/function-body-decoder-impl.h
+++ b/src/wasm/function-body-decoder-impl.h
@@ -265,7 +265,15 @@ ValueType read_value_type(Decoder* decoder, const byte* pc,
        uint32_t type_index =
            decoder->read_u32v<validate>(pc + 1, length, "type index");
        (*length)++;
-        return ValueType(ValueType::kRef, type_index);
+        if (!VALIDATE(type_index < kV8MaxWasmTypes)) {
+          decoder->errorf(pc,
+                          "Type index %u is greater than the maximum "
+                          "number %zu of type definitions supported by V8",
+                          type_index, kV8MaxWasmTypes);
+          return kWasmBottom;
+        } else {
+          return ValueType(ValueType::kRef, type_index);
+        }
      }
      decoder->error(pc,
                     "invalid value type 'ref', enable with "
@@ -276,7 +284,15 @@ ValueType read_value_type(Decoder* decoder, const byte* pc,
        uint32_t type_index =
            decoder->read_u32v<validate>(pc + 1, length, "type index");
        (*length)++;
-        return ValueType(ValueType::kOptRef, type_index);
+        if (!VALIDATE(type_index < kV8MaxWasmTypes)) {
+          decoder->errorf(pc,
+                          "Type index %u is greater than the maximum "
+                          "number %zu of type definitions supported by V8",
+                          type_index, kV8MaxWasmTypes);
+          return kWasmBottom;
+        } else {
+          return ValueType(ValueType::kOptRef, type_index);
+        }
      }
      decoder->error(pc,
                     "invalid value type 'optref', enable with "