diff options
| author | Alon Zakai <azakai@google.com> | 2024-03-22 12:27:54 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-03-22 12:27:54 -0700 |
| commit | 2471301a5209724b1ea32fab36b13410e96c0af9 (patch) | |
| tree | 08571f69741c973196712bb8f3c5e1f0ebd8f7a6 | |
| parent | 57dc0c975dbb82c96826f29559136c703afce3e2 (diff) | |
| download | binaryen-2471301a5209724b1ea32fab36b13410e96c0af9.tar.gz binaryen-2471301a5209724b1ea32fab36b13410e96c0af9.tar.bz2 binaryen-2471301a5209724b1ea32fab36b13410e96c0af9.zip | |
[Strings] Handle overflow in string.encode_wtf16_array (#6422)
| -rw-r--r-- | src/wasm-interpreter.h | 7 | ||||
| -rw-r--r-- | test/lit/exec/strings.wast | 38 |
2 files changed, 43 insertions, 2 deletions
diff --git a/src/wasm-interpreter.h b/src/wasm-interpreter.h index 1e0cf3ed0..c8031f617 100644 --- a/src/wasm-interpreter.h +++ b/src/wasm-interpreter.h @@ -32,6 +32,7 @@ #include "ir/module-utils.h" #include "support/bits.h" #include "support/safe_integer.h" +#include "support/stdckdint.h" #include "wasm-builder.h" #include "wasm-traversal.h" #include "wasm.h" @@ -2001,10 +2002,12 @@ public: if (!refData || !ptrData) { trap("null ref"); } - auto startVal = start.getSingleValue().getInteger(); + auto startVal = start.getSingleValue().getUnsigned(); auto& refValues = refData->values; auto& ptrValues = ptrData->values; - if (startVal + refValues.size() > ptrValues.size()) { + size_t end; + if (std::ckd_add<size_t>(&end, startVal, refValues.size()) || + end > ptrValues.size()) { trap("oob"); } diff --git a/test/lit/exec/strings.wast b/test/lit/exec/strings.wast index 341dd968b..3d2ab366d 100644 --- a/test/lit/exec/strings.wast +++ b/test/lit/exec/strings.wast @@ -245,6 +245,36 @@ ) ) + ;; CHECK: [fuzz-exec] calling encode-unsigned + ;; CHECK-NEXT: [trap oob] + (func $encode-unsigned (export "encode-unsigned") + (drop + (string.encode_wtf16_array + (string.const "ab") + (array.new_default $array16 + (i32.const 28) + ) + ;; This is a huge unsigned offset, so we will trap on oob. + (i32.const -2) + ) + ) + ) + + ;; CHECK: [fuzz-exec] calling encode-overflow + ;; CHECK-NEXT: [trap oob] + (func $encode-overflow (export "encode-overflow") + ;; The string's size + the offset lead to an overflow here in the array. + (drop + (string.encode_wtf16_array + (string.const "ab") + (array.new_default $array16 + (i32.const 10) + ) + (i32.const 9) + ) + ) + ) + ;; CHECK: [fuzz-exec] calling slice ;; CHECK-NEXT: [fuzz-exec] note result: slice => string("def") (func $slice (export "slice") (result (ref string)) @@ -332,6 +362,12 @@ ;; CHECK-NEXT: [LoggingExternalInterface logging 99] ;; CHECK-NEXT: [LoggingExternalInterface logging 0] +;; CHECK: [fuzz-exec] calling encode-unsigned +;; CHECK-NEXT: [trap oob] + +;; CHECK: [fuzz-exec] calling encode-overflow +;; CHECK-NEXT: [trap oob] + ;; CHECK: [fuzz-exec] calling slice ;; CHECK-NEXT: [fuzz-exec] note result: slice => string("def") @@ -349,6 +385,8 @@ ;; CHECK-NEXT: [fuzz-exec] comparing compare.9 ;; CHECK-NEXT: [fuzz-exec] comparing const ;; CHECK-NEXT: [fuzz-exec] comparing encode +;; CHECK-NEXT: [fuzz-exec] comparing encode-overflow +;; CHECK-NEXT: [fuzz-exec] comparing encode-unsigned ;; CHECK-NEXT: [fuzz-exec] comparing eq.1 ;; CHECK-NEXT: [fuzz-exec] comparing eq.2 ;; CHECK-NEXT: [fuzz-exec] comparing eq.3 |