RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-31 22:28:11 +00:00
Code Issues Activity Actions

LibWasm: Fix data section initialization bounds checking

Browse source
This commit is contained in:
Ali Mohammad Pur 2021-07-06 14:03:38 +04:30 committed by Ali Mohammad Pur
parent d2212a1f51
commit 03fe50d5e7
1 changed files with 12 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

16
Userland/Libraries/LibWasm/AbstractMachine/AbstractMachine.cpp
View file

@ -280,14 +280,22 @@ InstantiationResult AbstractMachine::instantiate(Module const& module, Vector<Ex
if (instantiation_result.has_value() && instantiation_result->is_error())
return;
if (main_module_instance.memories().size() <= data.index.value()) {
instantiation_result = InstantiationError { String::formatted("Data segment referenced out-of-bounds memory ({}) of max {} entries", data.index.value(), main_module_instance.memories().size()) };
instantiation_result = InstantiationError {
String::formatted("Data segment referenced out-of-bounds memory ({}) of max {} entries",
data.index.value(), main_module_instance.memories().size())
};
return;
}
auto address = main_module_instance.memories()[data.index.value()];
if (auto instance = m_store.get(address)) {
if (instance->type().limits().max().value_or(data.init.size() + offset + 1) <= data.init.size() + offset) {
instantiation_result = InstantiationError { String::formatted("Data segment attempted to write to out-of-bounds memory ({}) of max {} bytes", data.init.size() + offset, instance->type().limits().max().value()) };
return;
if (auto max = instance->type().limits().max(); max.has_value()) {
if (*max < data.init.size() + offset) {
instantiation_result = InstantiationError {
String::formatted("Data segment attempted to write to out-of-bounds memory ({}) of max {} bytes",
data.init.size() + offset, instance->type().limits().max().value())
};
return;
}
}
if (instance->size() < data.init.size() + offset)
instance->grow(data.init.size() + offset - instance->size());