[wasm][fuzzer] Check 'main' export to be a function before execution

In the test case the module contained a memory which got exported by the name 'main'. The fuzzer crashed when it tried to cast the memory to a function to execute it. This CL checks that 'main' is a function before doint the cast. R=clemensh@chromium.org Bug: chromium:763349 Change-Id: I9a21413c8038a7547f8b59057afea2870b15499a Reviewed-on: https://chromium-review.googlesource.com/659978Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#47941}

[wasm][fuzzer] Check 'main' export to be a function before execution
In the test case the module contained a memory which got exported by the name 'main'. The fuzzer crashed when it tried to cast the memory to a function to execute it. This CL checks that 'main' is a function before doint the cast. R=clemensh@chromium.org Bug: chromium:763349 Change-Id: I9a21413c8038a7547f8b59057afea2870b15499a Reviewed-on: https://chromium-review.googlesource.com/659978Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#47941}
d2da19c7 · Andreas Haas · Commit Bot · 68e4d86c · d2da19c7
Commit d2da19c7 authored Sep 11, 2017 by Andreas Haas Committed by Commit Bot Sep 11, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

wasm-module-runner.cc test/common/wasm/wasm-module-runner.cc +1 -0

No files found.
--- a/test/common/wasm/wasm-module-runner.cc
+++ b/test/common/wasm/wasm-module-runner.cc
@@ -177,6 +177,7 @@ MaybeHandle<WasmExportedFunction> GetExportedFunction(Isolate* isolate,
  Maybe<bool> property_found = JSReceiver::GetOwnPropertyDescriptor(
      isolate, exports_object, main_name, &desc);
  if (!property_found.FromMaybe(false)) return {};
+  if (!desc.value()->IsJSFunction()) return {};

  return Handle<WasmExportedFunction>::cast(desc.value());
 }