From 08b567e137de47f3171ac3b1d2b39a0839d3fc85 Mon Sep 17 00:00:00 2001
From: Ali Mohammad Pur <ali.mpfard@gmail.com>
Date: Sun, 30 May 2021 00:45:22 +0430
Subject: [PATCH] LibWasm: Avoid OOB accesses caused by user input

Just trap instead of crashing.
---
 .../Libraries/LibWasm/AbstractMachine/Interpreter.cpp     | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/Userland/Libraries/LibWasm/AbstractMachine/Interpreter.cpp b/Userland/Libraries/LibWasm/AbstractMachine/Interpreter.cpp
index c0cbc0d57f..a29c3e8a07 100644
--- a/Userland/Libraries/LibWasm/AbstractMachine/Interpreter.cpp
+++ b/Userland/Libraries/LibWasm/AbstractMachine/Interpreter.cpp
@@ -421,7 +421,7 @@ void BytecodeInterpreter::interpret(Configuration& configuration, InstructionPoi
         TRAP_IF_NOT(label.has_value());
         size_t end = configuration.stack().size() - label->arity() - 1;
         size_t start = end;
-        while (start > 0 && !configuration.stack().entries()[start].has<Label>())
+        while (start > 0 && start < configuration.stack().size() && !configuration.stack().entries()[start].has<Label>())
             --start;
 
         configuration.stack().entries().remove(start, end - start + 1);
@@ -437,7 +437,7 @@ void BytecodeInterpreter::interpret(Configuration& configuration, InstructionPoi
         auto& frame = configuration.frame();
         size_t end = configuration.stack().size() - frame.arity();
         size_t start = end;
-        for (; start + 1 > 0; --start) {
+        for (; start + 1 > 0 && start < configuration.stack().size(); --start) {
             auto& entry = configuration.stack().entries()[start];
             if (entry.has<Frame>()) {
                 // Leave the frame, _and_ its label.
@@ -463,6 +463,7 @@ void BytecodeInterpreter::interpret(Configuration& configuration, InstructionPoi
         goto unimplemented;
     case Instructions::call.value(): {
         auto index = instruction.arguments().get<FunctionIndex>();
+        TRAP_IF_NOT(index.value() < configuration.frame().module().functions().size());
         auto address = configuration.frame().module().functions()[index.value()];
         dbgln_if(WASM_TRACE_DEBUG, "call({})", address.value());
         call_address(configuration, address);
@@ -470,6 +471,7 @@ void BytecodeInterpreter::interpret(Configuration& configuration, InstructionPoi
     }
     case Instructions::call_indirect.value(): {
         auto& args = instruction.arguments().get<Instruction::IndirectCallArgs>();
+        TRAP_IF_NOT(args.table.value() < configuration.frame().module().tables().size());
         auto table_address = configuration.frame().module().tables()[args.table.value()];
         auto table_instance = configuration.store().get(table_address);
         auto index = configuration.stack().pop().get<Value>().to<i32>();
@@ -564,6 +566,7 @@ void BytecodeInterpreter::interpret(Configuration& configuration, InstructionPoi
         return;
     }
     case Instructions::memory_size.value(): {
+        TRAP_IF_NOT(configuration.frame().module().memories().size() > 0);
         auto address = configuration.frame().module().memories()[0];
         auto instance = configuration.store().get(address);
         auto pages = instance->size() / Constants::page_size;
@@ -572,6 +575,7 @@ void BytecodeInterpreter::interpret(Configuration& configuration, InstructionPoi
         return;
     }
     case Instructions::memory_grow.value(): {
+        TRAP_IF_NOT(configuration.frame().module().memories().size() > 0);
         auto address = configuration.frame().module().memories()[0];
         auto instance = configuration.store().get(address);
         i32 old_pages = instance->size() / Constants::page_size;