Chromium Code Reviews Chromium Code Reviews
Issue 2310023002:
[wasm] Validate the length of strings before validating the string. (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2015 the V8 project authors. All rights reserved. | 1 // Copyright 2015 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "src/wasm/module-decoder.h" | 5 #include "src/wasm/module-decoder.h" |
| 6 | 6 |
| 7 #include "src/base/functional.h" | 7 #include "src/base/functional.h" |
| 8 #include "src/base/platform/platform.h" | 8 #include "src/base/platform/platform.h" |
| 9 #include "src/macro-assembler.h" | 9 #include "src/macro-assembler.h" |
| 10 #include "src/objects.h" | 10 #include "src/objects.h" |
| (...skipping 567 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 578 if (offset > static_cast<uint32_t>(limit_ - start_)) { | 578 if (offset > static_cast<uint32_t>(limit_ - start_)) { |
| 579 error(pc_ - sizeof(uint32_t), "offset out of bounds of module"); | 579 error(pc_ - sizeof(uint32_t), "offset out of bounds of module"); |
| 580 } | 580 } |
| 581 return offset; | 581 return offset; |
| 582 } | 582 } |
| 583 | 583 |
| 584 // Reads a length-prefixed string, checking that it is within bounds. Returns | 584 // Reads a length-prefixed string, checking that it is within bounds. Returns |
| 585 // the offset of the string, and the length as an out parameter. | 585 // the offset of the string, and the length as an out parameter. |
| 586 uint32_t consume_string(uint32_t* length, bool validate_utf8) { | 586 uint32_t consume_string(uint32_t* length, bool validate_utf8) { |
| 587 *length = consume_u32v("string length"); | 587 *length = consume_u32v("string length"); |
| 588 // Check if the string does not exceed module boundaries. | |
| 589 if (pc_ + *length >= end_) { | |
|
titzer
2016/09/06 09:02:33
This can wrap around. There should be sufficient c
ahaas
2016/09/06 09:22:12
Done.
| |
| 590 error(pc_, "invalid string length"); | |
| 591 } | |
| 588 uint32_t offset = pc_offset(); | 592 uint32_t offset = pc_offset(); |
| 589 TRACE(" +%u %-20s: (%u bytes)\n", offset, "string", *length); | 593 TRACE(" +%u %-20s: (%u bytes)\n", offset, "string", *length); |
| 590 if (validate_utf8 && !unibrow::Utf8::Validate(pc_, *length)) { | 594 if (ok() && validate_utf8 && !unibrow::Utf8::Validate(pc_, *length)) { |
| 591 error(pc_, "no valid UTF-8 string"); | 595 error(pc_, "no valid UTF-8 string"); |
| 592 } | 596 } |
| 593 consume_bytes(*length); | 597 consume_bytes(*length); |
| 594 return offset; | 598 return offset; |
| 595 } | 599 } |
| 596 | 600 |
| 597 uint32_t consume_sig_index(WasmModule* module, FunctionSig** sig) { | 601 uint32_t consume_sig_index(WasmModule* module, FunctionSig** sig) { |
| 598 const byte* pos = pc_; | 602 const byte* pos = pc_; |
| 599 uint32_t sig_index = consume_u32v("signature index"); | 603 uint32_t sig_index = consume_u32v("signature index"); |
| 600 if (sig_index >= module->signatures.size()) { | 604 if (sig_index >= module->signatures.size()) { |
| (...skipping 213 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 814 decoder.consume_bytes(size); | 818 decoder.consume_bytes(size); |
| 815 } | 819 } |
| 816 if (decoder.more()) decoder.error("unexpected additional bytes"); | 820 if (decoder.more()) decoder.error("unexpected additional bytes"); |
| 817 | 821 |
| 818 return decoder.toResult(std::move(table)); | 822 return decoder.toResult(std::move(table)); |
| 819 } | 823 } |
| 820 | 824 |
| 821 } // namespace wasm | 825 } // namespace wasm |
| 822 } // namespace internal | 826 } // namespace internal |
| 823 } // namespace v8 | 827 } // namespace v8 |
| OLD | NEW |
