Changeset 207843 in webkit


Ignore:
Timestamp:
Oct 25, 2016 2:10:46 PM (8 years ago)
Author:
jfbastien@apple.com
Message:

WebAssembly: fix unknown section name handling, and check for section size overflow
https://bugs.webkit.org/show_bug.cgi?id=163959

See: https://github.com/WebAssembly/design/blob/master/BinaryEncoding.md#high-level-structure

Name length and name are already included in the payload length.

Reviewed by Filip Pizlo.

  • wasm/WasmModuleParser.cpp:

(JSC::Wasm::ModuleParser::parse):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r207842 r207843  
     12016-10-25  JF Bastien  <jfbastien@apple.com>
     2
     3        WebAssembly: fix unknown section name handling, and check for section size overflow
     4        https://bugs.webkit.org/show_bug.cgi?id=163959
     5
     6        See: https://github.com/WebAssembly/design/blob/master/BinaryEncoding.md#high-level-structure
     7
     8        Name length and name are already included in the payload length.
     9
     10        Reviewed by Filip Pizlo.
     11
     12        * wasm/WasmModuleParser.cpp:
     13        (JSC::Wasm::ModuleParser::parse):
     14
    1152016-10-25  Christopher Reid  <Christopher.Reid@am.sony.com>
    216

  • trunk/Source/JavaScriptCore/wasm/WasmModuleParser.cpp

    r207825 r207843  
    8989            if (sectionByte < Sections::Unknown)
    9090                section = static_cast<Sections::Section>(sectionByte);
    91         } else {
    92             uint32_t sectionNameLength;
    93             if (!parseVarUInt32(sectionNameLength)) {
    94                 // FIXME improve error message https://bugs.webkit.org/show_bug.cgi?id=163919
    95                 m_errorMessage = "couldn't get section name length";
    96                 return false;
    97             }
    98 
    99             // Make sure we can read up to the section's size.
    100             if (m_offset + sectionNameLength + WTF::LEBDecoder::max32BitLEBByteLength >= length()) {
    101                 // FIXME improve error message https://bugs.webkit.org/show_bug.cgi?id=163919
    102                 m_errorMessage = "section length is bigger than actual size";
    103                 return false;
    104             }
    105 
    106             // We don't support any custom sections yet.
    107 
    108             m_offset += sectionNameLength;
    10991        }
    11092
     
    122104        }
    123105
    124         unsigned end = m_offset + sectionLength;
     106        if (sectionLength > length() - m_offset) {
     107            // FIXME improve error message https://bugs.webkit.org/show_bug.cgi?id=163919
     108            m_errorMessage = "section content would overflow Module's size";
     109            return false;
     110        }
     111
     112        auto end = m_offset + sectionLength;
    125113
    126114        switch (section) {
     
    175163            if (verbose)
    176164                dataLogLn("Unknown section, skipping.");
     165            // Ignore section's name LEB and bytes: they're already included in sectionLength.
    177166            m_offset += sectionLength;
    178167            break;
Note: See TracChangeset for help on using the changeset viewer.