Changeset 248989 in webkit

Timestamp:

Aug 21, 2019 6:42:22 PM (5 years ago)

Author:

mark.lam@apple.com

Message:

Wasm::FunctionParser is failing to enforce maxFunctionLocals.
​https://bugs.webkit.org/show_bug.cgi?id=201016
<rdar://problem/54579911>

Reviewed by Yusuke Suzuki.

JSTests:

• wasm/stress/too-many-locals.js: Added.

(import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.catch):

Source/JavaScriptCore:

Currently, Wasm::FunctionParser is allowing

maxFunctionParams + maxFunctionLocals * maxFunctionLocals

... locals, which is 0x9502FCE8. It should be enforcing max locals of
maxFunctionLocals instead.

• wasm/WasmFunctionParser.h:

(JSC::Wasm::FunctionParser<Context>::parse):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/wasm/stress/too-many-locals.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/wasm/WasmFunctionParser.h (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2019-08-21  Mark Lam  <mark.lam@apple.com>
+
+        Wasm::FunctionParser is failing to enforce maxFunctionLocals.
+        https://bugs.webkit.org/show_bug.cgi?id=201016
+        <rdar://problem/54579911>
+
+        Reviewed by Yusuke Suzuki.
+
+        * wasm/stress/too-many-locals.js: Added.
+        (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.catch):
+
 2019-08-21  Ross Kirsling  <ross.kirsling@sony.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-08-21  Mark Lam  <mark.lam@apple.com>
+
+        Wasm::FunctionParser is failing to enforce maxFunctionLocals.
+        https://bugs.webkit.org/show_bug.cgi?id=201016
+        <rdar://problem/54579911>
+
+        Reviewed by Yusuke Suzuki.
+
+        Currently, Wasm::FunctionParser is allowing
+
+            maxFunctionParams + maxFunctionLocals * maxFunctionLocals
+
+        ... locals, which is 0x9502FCE8.  It should be enforcing max locals of
+        maxFunctionLocals instead.
+
+        * wasm/WasmFunctionParser.h:
+        (JSC::Wasm::FunctionParser<Context>::parse):
+
 2019-08-21  Michael Saboff  <msaboff@apple.com>
 

trunk/Source/JavaScriptCore/wasm/WasmFunctionParser.h

@@ -116 +116 @@
 auto FunctionParser<Context>::parse() -> Result
 {
-    uint32_t localCount;
+    uint32_t localGroupsCount;
 
     WASM_PARSER_FAIL_IF(!m_context.addArguments(m_signature), "can't add ", m_signature.argumentCount(), " arguments to Function");
-    WASM_PARSER_FAIL_IF(!parseVarUInt32(localCount), "can't get local count");
-    WASM_PARSER_FAIL_IF(localCount > maxFunctionLocals, "Function section's local count is too big ", localCount, " maximum ", maxFunctionLocals);
-
-    for (uint32_t i = 0; i < localCount; ++i) {
+    WASM_PARSER_FAIL_IF(!parseVarUInt32(localGroupsCount), "can't get local groups count");
+
+    uint64_t totalNumberOfLocals = m_signature.argumentCount();
+    for (uint32_t i = 0; i < localGroupsCount; ++i) {
         uint32_t numberOfLocals;
         Type typeOfLocal;
 
         WASM_PARSER_FAIL_IF(!parseVarUInt32(numberOfLocals), "can't get Function's number of locals in group ", i);
-        WASM_PARSER_FAIL_IF(numberOfLocals > maxFunctionLocals, "Function section's ", i, "th local group count is too big ", numberOfLocals, " maximum ", maxFunctionLocals);
+        totalNumberOfLocals += numberOfLocals;
+        WASM_PARSER_FAIL_IF(totalNumberOfLocals > maxFunctionLocals, "Function's number of locals is too big ", totalNumberOfLocals, " maximum ", maxFunctionLocals);
         WASM_PARSER_FAIL_IF(!parseValueType(typeOfLocal), "can't get Function local's type in group ", i);
         WASM_TRY_ADD_TO_CONTEXT(addLocal(typeOfLocal, numberOfLocals));