[wasm] Enforce memory and table limits during instantiation.

src/wasm/wasm-module.cc

 // Copyright 2015 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <memory>
 
 #include "src/assembler-inl.h"
 #include "src/base/adapters.h"
 #include "src/base/atomic-utils.h"
 #include "src/code-stubs.h"
@@ skipping 1651 matching lines @@
                             module_name, import_name);
             return -1;
           }
           WasmIndirectFunctionTable& table =
               module_->function_tables[num_imported_tables];
           TableInstance& table_instance = table_instances_[num_imported_tables];
           table_instance.table_object = Handle<WasmTableObject>::cast(value);
           table_instance.js_wrappers = Handle<FixedArray>(
               table_instance.table_object->functions(), isolate_);
 
-          // TODO(titzer): import table size must match exactly for now.
-          int table_size = table_instance.js_wrappers->length();
-          if (table_size != static_cast<int>(table.min_size)) {
+          int imported_cur_size = table_instance.js_wrappers->length();
+          if (imported_cur_size < static_cast<int>(table.min_size)) {
             thrower_->LinkError(
-                "table import %d is wrong size (%d), expected %u", index,
-                table_size, table.min_size);
+                "table import %d is smaller than minimum %d, got %u", index,
+                table.min_size, imported_cur_size);
             return -1;
           }
 
+          if (table.has_max) {
+            int64_t imported_max_size =
+                table_instance.table_object->maximum_length();
+            if (imported_max_size < 0) {
+              thrower_->LinkError(
+                  "table import %d has no maximum length, expected %d", index,
+                  table.max_size);
+              return -1;
+            }
+            if (imported_max_size > table.max_size) {
+              thrower_->LinkError(
+                  "table import %d has maximum larger than maximum %d, got %ld",
+                  index, table.max_size, imported_max_size);
+              return -1;
+            }
+          }
+
           // Allocate a new dispatch table and signature table.
+          int table_size = imported_cur_size;
           table_instance.function_table =
               isolate_->factory()->NewFixedArray(table_size);
           table_instance.signature_table =
               isolate_->factory()->NewFixedArray(table_size);
           for (int i = 0; i < table_size; ++i) {
             table_instance.signature_table->set(i,
                                                 Smi::FromInt(kInvalidSigIndex));
           }
           // Initialize the dispatch table with the (foreign) JS functions
           // that are already in the table.
@@ skipping 21 matching lines @@
           DCHECK(!instance->has_memory_object());
           if (!WasmJs::IsWasmMemoryObject(isolate_, value)) {
             ReportLinkError("memory import must be a WebAssembly.Memory object",
                             index, module_name, import_name);
             return -1;
           }
           auto memory = Handle<WasmMemoryObject>::cast(value);
           DCHECK(WasmJs::IsWasmMemoryObject(isolate_, memory));
           instance->set_memory_object(*memory);
           memory_ = Handle<JSArrayBuffer>(memory->buffer(), isolate_);
+          uint32_t imported_cur_pages = static_cast<uint32_t>(
+              memory_->byte_length()->Number() / WasmModule::kPageSize);
+          if (imported_cur_pages < module_->min_mem_pages) {
+            thrower_->LinkError(
+                "memory import %d is smaller than maximum %u, got %u", index,
+                module_->min_mem_pages, imported_cur_pages);
+          }
+          int32_t imported_max_pages = memory->maximum_pages();
+          if (module_->has_max_mem) {
+            if (imported_max_pages < 0) {
+              thrower_->LinkError(
+                  "memory import %d has no maximum limit, expected at most %u",
+                  index, imported_max_pages);
+              return -1;
+            }
+            if (static_cast<uint32_t>(imported_max_pages) >
+                module_->max_mem_pages) {
+              thrower_->LinkError(
+                  "memory import %d has larger maximum than maximum %u, got %d",
+                  index, module_->max_mem_pages, imported_max_pages);
+              return -1;
+            }
+          }
           break;
         }
         case kExternalGlobal: {
           // Global imports are converted to numbers and written into the
           // {globals_} array buffer.
           if (!value->IsNumber()) {
             ReportLinkError("global import must be a number", index,
                             module_name, import_name);
             return -1;
           }
@@ skipping 472 matching lines @@
   MaybeHandle<JSArrayBuffer> maybe_mem_buffer =
       GetInstanceMemory(isolate, instance);
   Handle<JSArrayBuffer> buffer;
   if (!maybe_mem_buffer.ToHandle(&buffer)) {
     return 0;
   } else {
     return buffer->byte_length()->Number() / WasmModule::kPageSize;
   }
 }
 
-uint32_t GetMaxInstanceMemorySize(Isolate* isolate,
-                                  Handle<WasmInstanceObject> instance) {
+uint32_t GetMaxInstanceMemoryPages(Isolate* isolate,
+                                   Handle<WasmInstanceObject> instance) {
   if (instance->has_memory_object()) {
     Handle<WasmMemoryObject> memory_object(instance->memory_object(), isolate);
-
-    int maximum = memory_object->maximum_pages();
-    if (maximum > 0) return static_cast<uint32_t>(maximum);
+    if (memory_object->has_maximum_pages()) {
+      uint32_t maximum = static_cast<uint32_t>(memory_object->maximum_pages());
+      if (maximum < kV8MaxWasmMemoryPages) return maximum;
+    }
   }
   uint32_t compiled_max_pages = instance->compiled_module()->max_mem_pages();
   isolate->counters()->wasm_max_mem_pages_count()->AddSample(
       compiled_max_pages);
   if (compiled_max_pages != 0) return compiled_max_pages;
   return kV8MaxWasmMemoryPages;
 }
 
 Handle<JSArrayBuffer> GrowMemoryBuffer(Isolate* isolate,
                                        MaybeHandle<JSArrayBuffer> buffer,
@@ skipping 55 matching lines @@
                                     uint32_t pages) {
   DCHECK(WasmJs::IsWasmMemoryObject(isolate, receiver));
   Handle<WasmMemoryObject> memory_object =
       handle(WasmMemoryObject::cast(*receiver));
   Handle<WasmInstanceWrapper> instance_wrapper(memory_object->instances_link());
   DCHECK(WasmInstanceWrapper::IsWasmInstanceWrapper(*instance_wrapper));
   DCHECK(instance_wrapper->has_instance());
   Handle<WasmInstanceObject> instance = instance_wrapper->instance_object();
   DCHECK(IsWasmInstance(*instance));
   if (pages == 0) return GetInstanceMemorySize(isolate, instance);
-  uint32_t max_pages = GetMaxInstanceMemorySize(isolate, instance);
+  uint32_t max_pages = GetMaxInstanceMemoryPages(isolate, instance);
 
   // Grow memory object buffer and update instances associated with it.
   MaybeHandle<JSArrayBuffer> memory_buffer = handle(memory_object->buffer());
   Handle<JSArrayBuffer> old_buffer;
   uint32_t old_size = 0;
   Address old_mem_start = nullptr;
   if (memory_buffer.ToHandle(&old_buffer) &&
       old_buffer->backing_store() != nullptr) {
     old_size = old_buffer->byte_length()->Number();
     old_mem_start = static_cast<Address>(old_buffer->backing_store());
@@ skipping 27 matching lines @@
     MaybeHandle<JSArrayBuffer> instance_buffer =
         GetInstanceMemory(isolate, instance);
     Handle<JSArrayBuffer> old_buffer;
     uint32_t old_size = 0;
     Address old_mem_start = nullptr;
     if (instance_buffer.ToHandle(&old_buffer) &&
         old_buffer->backing_store() != nullptr) {
       old_size = old_buffer->byte_length()->Number();
       old_mem_start = static_cast<Address>(old_buffer->backing_store());
     }
-    uint32_t max_pages = GetMaxInstanceMemorySize(isolate, instance_obj);
+    uint32_t max_pages = GetMaxInstanceMemoryPages(isolate, instance_obj);
     Handle<JSArrayBuffer> buffer =
         GrowMemoryBuffer(isolate, instance_buffer, pages, max_pages);
     if (buffer.is_null()) return -1;
     SetInstanceMemory(instance, *buffer);
     UncheckedUpdateInstanceMemory(isolate, instance, old_mem_start, old_size);
     DCHECK(old_size % WasmModule::kPageSize == 0);
     return (old_size / WasmModule::kPageSize);
   } else {
     return GrowWebAssemblyMemory(isolate, handle(instance_obj->memory_object()),
                                  pages);
@@ skipping 208 matching lines @@
 
     JSObject::AddProperty(entry, name_string, export_name.ToHandleChecked(),
                           NONE);
     JSObject::AddProperty(entry, kind_string, export_kind, NONE);
 
     storage->set(index, *entry);
   }
 
   return array_object;
 }