[wasm] Block compile/instantiate of large array buffers

third_party/WebKit/Source/bindings/core/v8/V8Initializer.cpp

 /*
  * Copyright (C) 2009 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 124 matching lines @@
       level = WarningMessageLevel;
       break;
     case v8::Isolate::kMessageError:
       level = InfoMessageLevel;
       break;
     default:
       NOTREACHED();
   }
   return level;
 }
+
+const size_t kWasmWireBytesLimit = 1 << 12;
+
 }  // namespace
 
 void V8Initializer::messageHandlerInMainThread(v8::Local<v8::Message> message,
                                                v8::Local<v8::Value> data) {
   ASSERT(isMainThread());
   v8::Isolate* isolate = v8::Isolate::GetCurrent();
 
   if (isolate->GetEnteredContext().IsEmpty())
     return;
 
@@ skipping 157 matching lines @@
   if (ExecutionContext* executionContext = toExecutionContext(context)) {
     if (ContentSecurityPolicy* policy =
             toDocument(executionContext)->contentSecurityPolicy())
       return policy->allowEval(ScriptState::from(context),
                                ContentSecurityPolicy::SendReport,
                                ContentSecurityPolicy::WillThrowException);
   }
   return false;
 }
 
+static bool allowWasmCompileCallbackInMainThread(v8::Local<v8::Value> source,
+                                                 bool asPromise) {
+  if (asPromise)

[bradnelson, 2017/02/18 22:16:22]

Maybe comment that we allow any size for promise i.e. async cases?

[Mircea Trofin, 2017/02/19 00:18:33]

Done.

+    return true;
+  if (source->IsArrayBuffer() &&
+      v8::Local<v8::ArrayBuffer>::Cast(source)->ByteLength() >
+          kWasmWireBytesLimit) {
+    return false;
+  }
+  if (source->IsArrayBufferView() &&
+      v8::Local<v8::ArrayBufferView>::Cast(source)->ByteLength() >
+          kWasmWireBytesLimit) {
+    return false;
+  }
+  return true;
+}
+
+static bool allowWasmInstantiateCallbackInMainThread(
+    v8::Local<v8::WasmCompiledModule> source,
+    v8::Local<v8::Value> ffi,
+    bool asPromise) {
+  if (asPromise)
+    return true;
+  if (static_cast<size_t>(source->GetWasmWireBytes()->Length()) >
+      kWasmWireBytesLimit) {
+    return false;
+  }
+  return true;
+}
+
 static void initializeV8Common(v8::Isolate* isolate) {
   isolate->AddGCPrologueCallback(V8GCController::gcPrologue);
   isolate->AddGCEpilogueCallback(V8GCController::gcEpilogue);
   std::unique_ptr<ScriptWrappableVisitor> visitor(
       new ScriptWrappableVisitor(isolate));
   V8PerIsolateData::from(isolate)->setScriptWrappableVisitor(
       std::move(visitor));
   isolate->SetEmbedderHeapTracer(
       V8PerIsolateData::from(isolate)->scriptWrappableVisitor());
 
@@ skipping 75 matching lines @@
   isolate->SetFatalErrorHandler(reportFatalErrorInMainThread);
   isolate->AddMessageListenerWithErrorLevel(
       messageHandlerInMainThread,
       v8::Isolate::kMessageError | v8::Isolate::kMessageWarning |
           v8::Isolate::kMessageInfo | v8::Isolate::kMessageDebug |
           v8::Isolate::kMessageLog);
   isolate->SetFailedAccessCheckCallbackFunction(
       failedAccessCheckCallbackInMainThread);
   isolate->SetAllowCodeGenerationFromStringsCallback(
       codeGenerationCheckCallbackInMainThread);
-
+  isolate->SetAllowWasmCompileCallback(allowWasmCompileCallbackInMainThread);
+  isolate->SetAllowWasmInstantiateCallback(
+      allowWasmInstantiateCallbackInMainThread);
   if (RuntimeEnabledFeatures::v8IdleTasksEnabled()) {
     V8PerIsolateData::enableIdleTasks(
         isolate, WTF::makeUnique<V8IdleTaskRunner>(scheduler));
   }
 
   isolate->SetPromiseRejectCallback(promiseRejectHandlerInMainThread);
 
   if (v8::HeapProfiler* profiler = isolate->GetHeapProfiler()) {
     profiler->SetWrapperClassInfoProvider(
         WrapperTypeInfo::NodeClassId, &RetainedDOMInfo::createRetainedDOMInfo);
@@ skipping 86 matching lines @@
           v8::Isolate::kMessageLog);
   isolate->SetFatalErrorHandler(reportFatalErrorInWorker);
 
   uint32_t here;
   isolate->SetStackLimit(reinterpret_cast<uintptr_t>(&here) -
                          kWorkerMaxStackSize);
   isolate->SetPromiseRejectCallback(promiseRejectHandlerInWorker);
 }
 
 }  // namespace blink