Changeset 216921 in webkit


Ignore:
Timestamp:
May 16, 2017 2:24:13 AM (7 years ago)
Author:
jfbastien@apple.com
Message:

WebAssembly: enforce size limits
https://bugs.webkit.org/show_bug.cgi?id=165833
<rdar://problem/29760219>

Reviewed by Keith Miller.

Use the same limits as V8.

  • JavaScriptCore.xcodeproj/project.pbxproj:
  • wasm/WasmLimits.h: Added.
  • wasm/WasmModuleParser.cpp:
  • wasm/WasmParser.h:

(JSC::Wasm::Parser<SuccessType>::consumeUTF8String):

Location:
trunk/Source/JavaScriptCore
Files:
1 added
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r216914 r216921  
     12017-05-16  JF Bastien  <jfbastien@apple.com>
     2
     3        WebAssembly: enforce size limits
     4        https://bugs.webkit.org/show_bug.cgi?id=165833
     5        <rdar://problem/29760219>
     6
     7        Reviewed by Keith Miller.
     8
     9        Use the same limits as V8.
     10
     11        * JavaScriptCore.xcodeproj/project.pbxproj:
     12        * wasm/WasmLimits.h: Added.
     13        * wasm/WasmModuleParser.cpp:
     14        * wasm/WasmParser.h:
     15        (JSC::Wasm::Parser<SuccessType>::consumeUTF8String):
     16
    1172017-05-15  Yusuke Suzuki  <utatane.tea@gmail.com>
    218

  • trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

    r216815 r216921  
    20812081                A7FCC26D17A0B6AA00786D1A /* FTLSwitchCase.h in Headers */ = {isa = PBXBuildFile; fileRef = A7FCC26C17A0B6AA00786D1A /* FTLSwitchCase.h */; settings = {ATTRIBUTES = (Private, ); }; };
    20822082                A8A4748E151A8306004123FF /* libWTF.a in Frameworks */ = {isa = PBXBuildFile; fileRef = A8A4748D151A8306004123FF /* libWTF.a */; };
     2083                AD00659E1ECAC812000CA926 /* WasmLimits.h in Headers */ = {isa = PBXBuildFile; fileRef = AD00659D1ECAC7FE000CA926 /* WasmLimits.h */; settings = {ATTRIBUTES = (Private, ); }; };
    20832084                AD2FCBE21DB58DAD00B3E736 /* JSWebAssemblyCompileError.cpp in Sources */ = {isa = PBXBuildFile; fileRef = AD2FCBA61DB58DA400B3E736 /* JSWebAssemblyCompileError.cpp */; };
    20842085                AD2FCBE31DB58DAD00B3E736 /* JSWebAssemblyCompileError.h in Headers */ = {isa = PBXBuildFile; fileRef = AD2FCBA71DB58DA400B3E736 /* JSWebAssemblyCompileError.h */; };
     
    47124713                A8E894310CD0602400367179 /* JSCallbackObjectFunctions.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSCallbackObjectFunctions.h; sourceTree = "<group>"; };
    47134714                A8E894330CD0603F00367179 /* JSGlobalObject.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSGlobalObject.h; sourceTree = "<group>"; };
     4715                AD00659D1ECAC7FE000CA926 /* WasmLimits.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WasmLimits.h; sourceTree = "<group>"; };
    47144716                AD1CF06816DCAB2D00B97123 /* PropertyTable.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = PropertyTable.cpp; sourceTree = "<group>"; };
    47154717                AD2FCB8C1DB5844000B3E736 /* JSWebAssemblyModule.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = JSWebAssemblyModule.cpp; path = js/JSWebAssemblyModule.cpp; sourceTree = "<group>"; };
     
    64316433                                AD8FF3961EB5BD850087FF82 /* WasmIndexOrName.cpp */,
    64326434                                AD8FF3951EB5BD850087FF82 /* WasmIndexOrName.h */,
     6435                                AD00659D1ECAC7FE000CA926 /* WasmLimits.h */,
    64336436                                53E9E0A91EAE83DE00FEE251 /* WasmMachineThreads.cpp */,
    64346437                                53E9E0AA1EAE83DE00FEE251 /* WasmMachineThreads.h */,
     
    94709473                                A784A26411D16622005776AC /* SyntaxChecker.h in Headers */,
    94719474                                DC7997831CDE9FA0004D4A09 /* TagRegistersMode.h in Headers */,
     9475                                AD00659E1ECAC812000CA926 /* WasmLimits.h in Headers */,
    94729476                                70ECA6081AFDBEA200449739 /* TemplateRegistry.h in Headers */,
    94739477                                70ECA6091AFDBEA200449739 /* TemplateRegistryKey.h in Headers */,

  • trunk/Source/JavaScriptCore/wasm/WasmModuleParser.cpp

    r216672 r216921  
    5252
    5353    WASM_PARSER_FAIL_IF(length() < minSize, "expected a module of at least ", minSize, " bytes");
     54    WASM_PARSER_FAIL_IF(length() > maxModuleSize, "module size ", length(), " is too large, maximum ", maxModuleSize);
    5455    WASM_PARSER_FAIL_IF(!consumeCharacter(0) || !consumeString("asm"), "modules doesn't start with '\\0asm'");
    5556    WASM_PARSER_FAIL_IF(!parseUInt32(versionNumber), "can't parse version number");
     
    103104
    104105    WASM_PARSER_FAIL_IF(!parseVarUInt32(count), "can't get Type section's count");
    105     WASM_PARSER_FAIL_IF(count == std::numeric_limits<uint32_t>::max(), "Type section's count is too big ", count);
     106    WASM_PARSER_FAIL_IF(count > maxTypes, "Type section's count is too big ", count, " maximum ", maxTypes);
    106107    WASM_PARSER_FAIL_IF(!m_info->usedSignatures.tryReserveCapacity(count), "can't allocate enough memory for Type section's ", count, " entries");
    107108
     
    114115        WASM_PARSER_FAIL_IF(type != Func, i, "th Type is non-Func ", type);
    115116        WASM_PARSER_FAIL_IF(!parseVarUInt32(argumentCount), "can't get ", i, "th Type's argument count");
    116         WASM_PARSER_FAIL_IF(argumentCount == std::numeric_limits<uint32_t>::max(), i, "th argument count is too big ", argumentCount);
     117        WASM_PARSER_FAIL_IF(argumentCount > maxFunctionParams, i, "th argument count is too big ", argumentCount, " maximum ", maxFunctionParams);
    117118        RefPtr<Signature> maybeSignature = Signature::tryCreate(argumentCount);
    118119        WASM_PARSER_FAIL_IF(!maybeSignature, "can't allocate enough memory for Type section's ", i, "th signature");
     
    146147    uint32_t importCount;
    147148    WASM_PARSER_FAIL_IF(!parseVarUInt32(importCount), "can't get Import section's count");
    148     WASM_PARSER_FAIL_IF(importCount == std::numeric_limits<uint32_t>::max(), "Import section's count is too big ", importCount);
     149    WASM_PARSER_FAIL_IF(importCount > maxImports, "Import section's count is too big ", importCount, " maximum ", maxImports);
    149150    WASM_PARSER_FAIL_IF(!m_info->globals.tryReserveCapacity(importCount), "can't allocate enough memory for ", importCount, " globals"); // FIXME this over-allocates when we fix the FIXMEs below.
    150151    WASM_PARSER_FAIL_IF(!m_info->imports.tryReserveCapacity(importCount), "can't allocate enough memory for ", importCount, " imports"); // FIXME this over-allocates when we fix the FIXMEs below.
     
    212213    uint32_t count;
    213214    WASM_PARSER_FAIL_IF(!parseVarUInt32(count), "can't get Function section's count");
    214     WASM_PARSER_FAIL_IF(count == std::numeric_limits<uint32_t>::max(), "Function section's count is too big ", count);
     215    WASM_PARSER_FAIL_IF(count > maxFunctions, "Function section's count is too big ", count, " maximum ", maxFunctions);
    215216    WASM_PARSER_FAIL_IF(!m_info->internalFunctionSignatureIndices.tryReserveCapacity(count), "can't allocate enough memory for ", count, " Function signatures");
    216217    WASM_PARSER_FAIL_IF(!m_info->functionLocationInBinary.tryReserveCapacity(count), "can't allocate enough memory for ", count, "Function locations");
     
    335336    uint32_t globalCount;
    336337    WASM_PARSER_FAIL_IF(!parseVarUInt32(globalCount), "can't get Global section's count");
     338    WASM_PARSER_FAIL_IF(globalCount > maxGlobals, "Global section's count is too big ", globalCount, " maximum ", maxGlobals);
    337339    WASM_PARSER_FAIL_IF(!m_info->globals.tryReserveCapacity(globalCount + m_info->firstInternalGlobal), "can't allocate memory for ", globalCount + m_info->firstInternalGlobal, " globals");
    338340
     
    360362    uint32_t exportCount;
    361363    WASM_PARSER_FAIL_IF(!parseVarUInt32(exportCount), "can't get Export section's count");
    362     WASM_PARSER_FAIL_IF(exportCount == std::numeric_limits<uint32_t>::max(), "Export section's count is too big ", exportCount);
     364    WASM_PARSER_FAIL_IF(exportCount > maxExports, "Export section's count is too big ", exportCount, " maximum ", maxExports);
    363365    WASM_PARSER_FAIL_IF(!m_info->exports.tryReserveCapacity(exportCount), "can't allocate enough memory for ", exportCount, " exports");
    364366
     
    425427    uint32_t elementCount;
    426428    WASM_PARSER_FAIL_IF(!parseVarUInt32(elementCount), "can't get Element section's count");
    427     WASM_PARSER_FAIL_IF(elementCount == std::numeric_limits<uint32_t>::max(), "Element section's count is too big ", elementCount);
     429    WASM_PARSER_FAIL_IF(elementCount > maxTableEntries, "Element section's count is too big ", elementCount, " maximum ", maxTableEntries);
    428430    WASM_PARSER_FAIL_IF(!m_info->elements.tryReserveCapacity(elementCount), "can't allocate memory for ", elementCount, " Elements");
    429431    for (unsigned elementNum = 0; elementNum < elementCount; ++elementNum) {
     
    472474        WASM_PARSER_FAIL_IF(functionSize > length(), "Code function's size ", functionSize, " exceeds the module's size ", length());
    473475        WASM_PARSER_FAIL_IF(functionSize > length() - m_offset, "Code function's size ", functionSize, " exceeds the module's remaining size", length() - m_offset);
     476        WASM_PARSER_FAIL_IF(functionSize > std::numeric_limits<uint32_t>::max(), "Code function's size ", functionSize, " is too big");
    474477
    475478        m_info->functionLocationInBinary[i].start = m_offset;
     
    556559    WASM_PARSER_FAIL_IF(!m_info->memory, "Data section cannot exist without a Memory section or Import");
    557560    WASM_PARSER_FAIL_IF(!parseVarUInt32(segmentCount), "can't get Data section's count");
    558     WASM_PARSER_FAIL_IF(segmentCount == std::numeric_limits<uint32_t>::max(), "Data section's count is too big ", segmentCount);
     561    WASM_PARSER_FAIL_IF(segmentCount > maxDataSegments, "Data section's count is too big ", segmentCount, " maximum ", maxDataSegments);
    559562    WASM_PARSER_FAIL_IF(!m_info->data.tryReserveCapacity(segmentCount), "can't allocate enough memory for Data section's ", segmentCount, " segments");
    560563

  • trunk/Source/JavaScriptCore/wasm/WasmParser.h

    r216597 r216921  
    3131#include "B3Procedure.h"
    3232#include "WasmFormat.h"
     33#include "WasmLimits.h"
    3334#include "WasmModuleInformation.h"
    3435#include "WasmOps.h"
     
    147148    if (length() < stringLength || m_offset > length() - stringLength)
    148149        return false;
     150    if (stringLength > maxStringSize)
     151        return false;
    149152    if (!result.tryReserveCapacity(stringLength))
    150153        return false;
Note: See TracChangeset for help on using the changeset viewer.