diff options
| author | Alon Zakai <alonzakai@gmail.com> | 2017-12-14 20:23:12 -0600 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-12-14 20:23:12 -0600 |
| commit | dc2c05153c57b55fdd949a8827d4c8f648db8484 (patch) | |
| tree | 3f588afde5a594d9c293a121189e9002713679be | |
| parent | 183be2f02636335ba1253e00ee942fb1e69cffe5 (diff) | |
| download | binaryen-dc2c05153c57b55fdd949a8827d4c8f648db8484.tar.gz binaryen-dc2c05153c57b55fdd949a8827d4c8f648db8484.tar.bz2 binaryen-dc2c05153c57b55fdd949a8827d4c8f648db8484.zip | |
Fix 2 binary fuzz bugs (#1323)
* Check if there is a currFunction before using it (we need it for some stacky code; a valid wasm wouldn't need a function in that location anyhow, as what can be put in a memory/table offset is very limited).
* Huge alignment led us to do a power of 2 shift that is undefined behavior.
Also adds a test facility to check we don't crash on testcases.
| -rwxr-xr-x | check.py | 12 | ||||
| -rw-r--r-- | src/wasm/wasm-binary.cpp | 7 | ||||
| -rw-r--r-- | test/crash/outside.wasm | bin | 0 -> 183 bytes | |||
| -rw-r--r-- | test/crash/use_var_outside_func.wasm | bin | 0 -> 871 bytes |
4 files changed, 18 insertions, 1 deletions
@@ -194,6 +194,17 @@ def run_wasm_merge_tests(): with open(out + '.stdout') as f: fail_if_not_identical(f.read(), stdout) +def run_crash_tests(): + print "\n[ checking we don't crash on tricky inputs... ]\n" + + for t in os.listdir(os.path.join('test', 'crash')): + if t.endswith(('.wast', '.wasm')): + print '..', t + t = os.path.join('test', 'crash', t) + cmd = WASM_OPT + [t] + # expect a parse error to be reported + run_command(cmd, expected_err='parse exception:', err_contains=True, expected_status=1) + def run_ctor_eval_tests(): print '\n[ checking wasm-ctor-eval... ]\n' @@ -576,6 +587,7 @@ def main(): asm2wasm.test_asm2wasm_binary() run_wasm_dis_tests() run_wasm_merge_tests() + run_crash_tests() run_ctor_eval_tests() run_wasm_metadce_tests() if has_shell_timeout(): diff --git a/src/wasm/wasm-binary.cpp b/src/wasm/wasm-binary.cpp index 234857442..868fad1f6 100644 --- a/src/wasm/wasm-binary.cpp +++ b/src/wasm/wasm-binary.cpp @@ -2202,6 +2202,9 @@ void WasmBinaryBuilder::pushBlockElements(Block* curr, size_t start, size_t end) expressionStack.resize(start); // if we have a consumable item and need it, use it if (consumable != NONE && curr->list.back()->type == none) { + if (!currFunction) { + throw ParseException("need an extra var in a non-function context, invalid wasm"); + } Builder builder(wasm); auto* item = curr->list[consumable]->cast<Drop>()->value; auto temp = builder.addVar(currFunction, item->type); @@ -2464,7 +2467,9 @@ void WasmBinaryBuilder::visitSetGlobal(SetGlobal *curr) { } void WasmBinaryBuilder::readMemoryAccess(Address& alignment, size_t bytes, Address& offset) { - alignment = Pow2(getU32LEB()); + auto rawAlignment = getU32LEB(); + if (rawAlignment > 4) throw ParseException("Alignment must be of a reasonable size"); + alignment = Pow2(rawAlignment); offset = getU32LEB(); } diff --git a/test/crash/outside.wasm b/test/crash/outside.wasm Binary files differnew file mode 100644 index 000000000..e223bdee1 --- /dev/null +++ b/test/crash/outside.wasm diff --git a/test/crash/use_var_outside_func.wasm b/test/crash/use_var_outside_func.wasm Binary files differnew file mode 100644 index 000000000..f91794845 --- /dev/null +++ b/test/crash/use_var_outside_func.wasm |