[wasm] Enforce module size limit early enough

The limit needs to be checked before casting the length to int in ModuleWireBytes. R=titzer@chromium.org BUG=694433 Review-Url: https://codereview.chromium.org/2705233002 Cr-Commit-Position: refs/heads/master@{#43352}

[wasm] Enforce module size limit early enough
The limit needs to be checked before casting the length to int in ModuleWireBytes. R=titzer@chromium.org BUG=694433 Review-Url: https://codereview.chromium.org/2705233002 Cr-Commit-Position: refs/heads/master@{#43352}
cc805e42 · clemensh · Commit bot · fa5304d1 · cc805e42 · cc805e42
Commit cc805e42 authored Feb 21, 2017 by clemensh Committed by Commit bot Feb 21, 2017
Show whitespace changes
Inline Side-by-side

Showing with 17 additions and 7 deletions

wasm-js.cc src/wasm/wasm-js.cc +11 -7

regression-694433.js test/mjsunit/regress/wasm/regression-694433.js +6 -0

No files found.
--- a/src/wasm/wasm-js.cc
+++ b/src/wasm/wasm-js.cc
@@ -124,7 +124,7 @@ i::wasm::ModuleWireBytes GetFirstArgumentAsBytes(
  }

  const byte* start = nullptr;
-  const byte* end = nullptr;
+  size_t length = 0;
  v8::Local<v8::Value> source = args[0];
  if (source->IsArrayBuffer()) {
    // A raw array buffer was passed.
@@ -132,8 +132,7 @@ i::wasm::ModuleWireBytes GetFirstArgumentAsBytes(
    ArrayBuffer::Contents contents = buffer->GetContents();

    start = reinterpret_cast<const byte*>(contents.Data());
-    end = start + contents.ByteLength();
-
+    length = contents.ByteLength();
  } else if (source->IsTypedArray()) {
    // A TypedArray was passed.
    Local<TypedArray> array = Local<TypedArray>::Cast(source);
@@ -143,16 +142,21 @@ i::wasm::ModuleWireBytes GetFirstArgumentAsBytes(

    start =
        reinterpret_cast<const byte*>(contents.Data()) + array->ByteOffset();
-    end = start + array->ByteLength();
-
+    length = array->ByteLength();
  } else {
    thrower->TypeError("Argument 0 must be a buffer source");
  }
-  if (start == nullptr || end == start) {
+  DCHECK_IMPLIES(length, start != nullptr);
+  if (length == 0) {
    thrower->CompileError("BufferSource argument is empty");
  }
+  if (length > i::wasm::kV8MaxWasmModuleSize) {
+    thrower->RangeError("buffer source exceeds maximum size of %zu (is %zu)",
+                        i::wasm::kV8MaxWasmModuleSize, length);
+  }
+  if (thrower->error()) return i::wasm::ModuleWireBytes(nullptr, nullptr);
  // TODO(titzer): use the handle as well?
-  return i::wasm::ModuleWireBytes(start, end);
+  return i::wasm::ModuleWireBytes(start, start + length);
 }

 i::MaybeHandle<i::JSReceiver> GetSecondArgumentAsImports(

--- a/test/mjsunit/regress/wasm/regression-694433.js
+++ b/test/mjsunit/regress/wasm/regression-694433.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var size = 0x40000000;
+assertThrows(() => WebAssembly.validate(new Uint16Array(size)), RangeError);