[wasm] Verify boundaries of data segments when decoding modules.

test/unittests/wasm/module-decoder-unittest.cc

 // Copyright 2015 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "test/unittests/test-utils.h"
 
 #include "src/wasm/module-decoder.h"
 #include "src/wasm/wasm-opcodes.h"
 
 namespace v8 {
@@ skipping 27 matching lines @@
 
 struct LocalTypePair {
   uint8_t code;
   LocalType type;
 } kLocalTypes[] = {{kLocalI32, kAstI32},
                    {kLocalI64, kAstI64},
                    {kLocalF32, kAstF32},
                    {kLocalF64, kAstF64}};
 
 
+// TODO(titzer): use these macros everywhere below.
+#define U32_LE(v)                                    \
+  static_cast<byte>(v), static_cast<byte>((v) >> 8), \
+      static_cast<byte>((v) >> 16), static_cast<byte>((v) >> 24)
+
+
+#define U16_LE(v) static_cast<byte>(v), static_cast<byte>((v) >> 8)
+
+
 TEST_F(WasmModuleVerifyTest, DecodeEmpty) {
   static const byte data[1]{kDeclEnd};
   {
     ModuleResult result = DecodeModule(data, data);
     EXPECT_TRUE(result.ok());
     if (result.val) delete result.val;
   }
   {
     ModuleResult result = DecodeModule(data, data + 1);
     EXPECT_TRUE(result.ok());
@@ skipping 398 matching lines @@
   EXPECT_EQ(2055, function->local_float64_count);
 
   EXPECT_FALSE(function->exported);
   EXPECT_FALSE(function->external);
 
   if (result.val) delete result.val;
 }
 
 
 TEST_F(WasmModuleVerifyTest, OneGlobalOneFunctionWithNopBodyOneDataSegment) {
-  static const byte kCodeStartOffset = 2 + kDeclGlobalSize + 4 + 2 + 17;
+  static const byte kDeclMemorySize = 4;
+  static const byte kCodeStartOffset =
+      2 + kDeclMemorySize + kDeclGlobalSize + 4 + 2 + 17;
   static const byte kCodeEndOffset = kCodeStartOffset + 3;
 
   static const byte data[] = {
+      kDeclMemory, 28, 28, 1,
       // global#0 --------------------------------------------------
       kDeclGlobals, 1, 0, 0, 0, 0,  // name offset
       kMemU8,                       // memory type
       0,                            // exported
       // sig#0 -----------------------------------------------------
       kDeclSignatures, 1, 0, 0,  // void -> void
       // func#0 ----------------------------------------------------
       kDeclFunctions, 1, kDeclFunctionLocals | kDeclFunctionName, 0,
       0,           // signature index
       9, 0, 0, 0,  // name offset
@@ skipping 44 matching lines @@
     EXPECT_EQ(5, segment->source_size);
     EXPECT_TRUE(segment->init);
 
     if (result.val) delete result.val;
   }
 }
 
 
 TEST_F(WasmModuleVerifyTest, OneDataSegment) {
   const byte data[] = {
-      kDeclDataSegments,
-      1,
-      0xaa,
-      0xbb,
-      0x09,
+      kDeclMemory, 28, 28, 1, kDeclDataSegments, 1, 0xaa, 0xbb, 0x09,
       0,  // dest addr
-      11,
-      0,
-      0,
+      11,          0,  0,
       0,  // source offset
-      3,
-      0,
-      0,
+      3,           0,  0,
       0,  // source size
       1,  // init
   };
 
   {
+    EXPECT_VERIFIES(data);
     ModuleResult result = DecodeModule(data, data + arraysize(data));
     EXPECT_TRUE(result.ok());
     EXPECT_EQ(0, result.val->globals->size());
     EXPECT_EQ(0, result.val->functions->size());
     EXPECT_EQ(1, result.val->data_segments->size());
 
     WasmDataSegment* segment = &result.val->data_segments->back();
 
     EXPECT_EQ(0x9bbaa, segment->dest_addr);
     EXPECT_EQ(11, segment->source_offset);
     EXPECT_EQ(3, segment->source_size);
     EXPECT_TRUE(segment->init);
 
     if (result.val) delete result.val;
   }
 
-  for (size_t size = 1; size < arraysize(data); size++) {
+  for (size_t size = 5; size < arraysize(data); size++) {
     // Should fall off end of module bytes.
     ModuleResult result = DecodeModule(data, data + size);
     EXPECT_FALSE(result.ok());
     if (result.val) delete result.val;
   }
 }
 
 
 TEST_F(WasmModuleVerifyTest, TwoDataSegments) {
   const byte data[] = {
-      kDeclDataSegments,
-      2,
-      0xee,
-      0xff,
-      0x07,
+      kDeclMemory, 28,   28,   1, kDeclDataSegments, 2, 0xee, 0xff, 0x07,
       0,  // dest addr
-      9,
-      0,
-      0,
+      9,           0,    0,
       0,  // #0: source offset
-      4,
-      0,
-      0,
+      4,           0,    0,
       0,  // source size
       0,  // init
-      0xcc,
-      0xdd,
-      0x06,
+      0xcc,        0xdd, 0x06,
       0,  // #1: dest addr
-      6,
-      0,
-      0,
+      6,           0,    0,
       0,  // source offset
-      10,
-      0,
-      0,
+      10,          0,    0,
       0,  // source size
       1,  // init
   };
 
   {
     ModuleResult result = DecodeModule(data, data + arraysize(data));
     EXPECT_TRUE(result.ok());
     EXPECT_EQ(0, result.val->globals->size());
     EXPECT_EQ(0, result.val->functions->size());
     EXPECT_EQ(2, result.val->data_segments->size());
 
     WasmDataSegment* s0 = &result.val->data_segments->at(0);
     WasmDataSegment* s1 = &result.val->data_segments->at(1);
 
     EXPECT_EQ(0x7ffee, s0->dest_addr);
     EXPECT_EQ(9, s0->source_offset);
     EXPECT_EQ(4, s0->source_size);
     EXPECT_FALSE(s0->init);
 
     EXPECT_EQ(0x6ddcc, s1->dest_addr);
     EXPECT_EQ(6, s1->source_offset);
     EXPECT_EQ(10, s1->source_size);
     EXPECT_TRUE(s1->init);
 
     if (result.val) delete result.val;
   }
 
-  for (size_t size = 1; size < arraysize(data); size++) {
+  for (size_t size = 5; size < arraysize(data); size++) {
     // Should fall off end of module bytes.
     ModuleResult result = DecodeModule(data, data + size);
     EXPECT_FALSE(result.ok());
     if (result.val) delete result.val;
   }
 }
 
 
+TEST_F(WasmModuleVerifyTest, DataSegmentWithInvalidSource) {
+  const int dest_addr = 0x100;
+  const byte mem_size_log2 = 15;
+  const int kDataSize = 19;
+
+  for (int source_offset = 0; source_offset < 5 + kDataSize; source_offset++) {
+    for (int source_size = -1; source_size < 5 + kDataSize; source_size += 3) {
+      byte data[] = {
+          kDeclMemory,
+          mem_size_log2,
+          mem_size_log2,
+          1,
+          kDeclDataSegments,
+          1,
+          U32_LE(dest_addr),
+          U32_LE(source_offset),
+          U32_LE(source_size),
+          1,  // init
+      };
+
+      STATIC_ASSERT(kDataSize == arraysize(data));
+
+      if (source_offset < kDataSize && source_size >= 0 &&
+          (source_offset + source_size) <= kDataSize) {
+        EXPECT_VERIFIES(data);
+      } else {
+        EXPECT_FAILURE(data);
+      }
+    }
+  }
+}
+
+
+TEST_F(WasmModuleVerifyTest, DataSegmentWithInvalidDest) {
+  const int source_size = 3;
+  const int source_offset = 11;
+
+  for (byte mem_size_log2 = 12; mem_size_log2 < 20; mem_size_log2++) {
+    int mem_size = 1 << mem_size_log2;
+
+    for (int dest_addr = mem_size - source_size;
+         dest_addr < mem_size + source_size; dest_addr++) {
+      byte data[] = {
+          kDeclMemory,
+          mem_size_log2,
+          mem_size_log2,
+          1,
+          kDeclDataSegments,
+          1,
+          U32_LE(dest_addr),
+          U32_LE(source_offset),
+          U32_LE(source_size),
+          1,  // init
+      };
+
+      if (dest_addr <= (mem_size - source_size)) {
+        EXPECT_VERIFIES(data);
+      } else {
+        EXPECT_FAILURE(data);
+      }
+    }
+  }
+}
+
+
 // To make below tests for indirect calls much shorter.
 #define FUNCTION(sig_index, external)                \
   kDeclFunctionImport, static_cast<byte>(sig_index), \
       static_cast<byte>(sig_index >> 8)
 
 
 TEST_F(WasmModuleVerifyTest, OneIndirectFunction) {
   static const byte data[] = {
       // sig#0 -------------------------------------------------------
       kDeclSignatures, 1, 0, 0,  // void -> void
@@ skipping 297 matching lines @@
     kDeclWLL,
     0xfa, 0xff, 0xff, 0xff, 0x0f,  // LEB128 0xfffffffa
     1, 2, 3, 4,                    // 4 byte section
   };
   EXPECT_FAILURE(data);
 }
 
 }  // namespace wasm
 }  // namespace internal
 }  // namespace v8