src/wasm/module-decoder.cc - Issue 1608743006: [wasm] Verify boundaries of data segments when decoding modules.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/wasm/module-decoder.cc

Issue 1608743006: [wasm] Verify boundaries of data segments when decoding modules. (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master

Patch Set: Created 4 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/wasm/module-decoder.cc

diff --git a/src/wasm/module-decoder.cc b/src/wasm/module-decoder.cc

index 0b92247558175818e5af9c574b52cedfe1da0c60..56cd164befc5e5ab9cff61ef7ba266e3fd2b1adf 100644

--- a/src/wasm/module-decoder.cc

+++ b/src/wasm/module-decoder.cc

@@ -157,7 +157,7 @@ class ModuleDecoder : public Decoder {

static_cast<int>(pc_ - start_));

module->data_segments->push_back({0, 0, 0});

WasmDataSegment* segment = &module->data_segments->back();

- DecodeDataSegmentInModule(segment);

+ DecodeDataSegmentInModule(module, segment);

}

break;

}

@@ -345,14 +345,33 @@ class ModuleDecoder : public Decoder {

}

+ bool IsWithinLimit(uint32_t limit, uint32_t low, uint32_t size) {

bradnelson 2016/01/20 14:49:34 low -> offset /base / start ?

+ if (low > limit) return false;

+ if ((low + size) < low) return false; // overflow

+ return (low + size) <= limit;

+ }

// Decodes a single data segment entry inside a module starting at {pc_}.

- void DecodeDataSegmentInModule(WasmDataSegment* segment) {

- segment->dest_addr =

- u32("destination"); // TODO(titzer): check it's within the memory size.

+ void DecodeDataSegmentInModule(WasmModule* module, WasmDataSegment* segment) {

+ segment->dest_addr = u32("destination");

segment->source_offset = offset("source offset");

- segment->source_size =

- u32("source size"); // TODO(titzer): check the size is reasonable.

+ segment->source_size = u32("source size");

segment->init = u8("init");

+ // Validate the data is in the module.

+ uint32_t module_limit = static_cast<uint32_t>(limit_ - start_);

+ if (!IsWithinLimit(module_limit, segment->source_offset,

+ segment->source_size)) {

+ error(pc_ - sizeof(uint32_t), "segment out of bounds of module");

+ }

+ // Validate that the segment will fit into the (minimum) memory.

+ uint32_t memory_limit =

+ 1 << (module ? module->min_mem_size_log2 : WasmModule::kMaxMemSize);

+ if (!IsWithinLimit(memory_limit, segment->dest_addr,

+ segment->source_size)) {

+ error(pc_ - sizeof(uint32_t), "segment out of bounds of memory");

+ }

}

// Verifies the body (code) of a given function.

« no previous file with comments | « no previous file | src/wasm/wasm-js.cc » ('j') | no next file with comments »