diff options
| author | Alon Zakai <azakai@google.com> | 2024-05-21 16:13:15 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-05-21 16:13:15 -0700 |
| commit | 772e57234c3cba9bdc6432d42017f7c22b3f6e56 (patch) | |
| tree | 0541b0e405c2555edd732e247ca80bb37bea4305 | |
| parent | 326bfcd7d9f6927e28d106a6cd6e9c408a0f6a0d (diff) | |
| download | binaryen-772e57234c3cba9bdc6432d42017f7c22b3f6e56.tar.gz binaryen-772e57234c3cba9bdc6432d42017f7c22b3f6e56.tar.bz2 binaryen-772e57234c3cba9bdc6432d42017f7c22b3f6e56.zip | |
Fix TableFill bounds checking (#6621)
The offsets are unsigned.
| -rw-r--r-- | src/wasm-interpreter.h | 13 | ||||
| -rw-r--r-- | test/lit/exec/table.fill.wast | 32 |
2 files changed, 36 insertions, 9 deletions
diff --git a/src/wasm-interpreter.h b/src/wasm-interpreter.h index f9b7e8c50..c12f9cc33 100644 --- a/src/wasm-interpreter.h +++ b/src/wasm-interpreter.h @@ -3137,21 +3137,16 @@ public: } auto info = getTableInstanceInfo(curr->table); - auto* table = self()->wasm.getTable(info.name); - Index dest = table->indexType == Type::i64 - ? destFlow.getSingleValue().geti64() - : destFlow.getSingleValue().geti32(); + auto dest = destFlow.getSingleValue().getUnsigned(); Literal value = valueFlow.getSingleValue(); - Index size = table->indexType == Type::i64 - ? sizeFlow.getSingleValue().geti64() - : sizeFlow.getSingleValue().geti32(); + auto size = sizeFlow.getSingleValue().getUnsigned(); - Index tableSize = info.interface()->tableSize(info.name); + auto tableSize = info.interface()->tableSize(info.name); if (dest + size > tableSize) { trap("out of bounds table access"); } - for (Index i = 0; i < size; ++i) { + for (uint64_t i = 0; i < size; i++) { info.interface()->tableStore(info.name, dest + i, value); } return Flow(); diff --git a/test/lit/exec/table.fill.wast b/test/lit/exec/table.fill.wast new file mode 100644 index 000000000..b2f092bc4 --- /dev/null +++ b/test/lit/exec/table.fill.wast @@ -0,0 +1,32 @@ +;; NOTE: Assertions have been generated by update_lit_checks.py --output=fuzz-exec and should not be edited. + +;; RUN: wasm-opt %s -all --fuzz-exec-before -q -o /dev/null 2>&1 | filecheck %s + +(module + (type $i32 (func (result i32))) + + (table $table 32 32 funcref) + + (func $i32 (type $i32) (result i32) + (i32.const 0) + ) + + ;; CHECK: [fuzz-exec] calling fill + ;; CHECK-NEXT: [trap out of bounds table access] + (func $fill (export "fill") + ;; This fill is out of bounds as the -1 is unsigned. Nothing will be written. + (table.fill $table + (i32.const 1) + (ref.func $i32) + (i32.const -1) + ) + ) + ;; CHECK: [fuzz-exec] calling call + ;; CHECK-NEXT: [trap uninitialized table element] + (func $call (export "call") (result i32) + ;; Nothing was written, so this traps. + (call_indirect $table (type $i32) + (i32.const 1) + ) + ) +) |