diff options
| author | Philip Blair <peblairman@gmail.com> | 2023-10-23 18:56:19 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-10-23 16:56:19 +0000 |
| commit | 68ff52b278acb95201967709640733a05d6a683a (patch) | |
| tree | bccae8ed9798c18ebdbb6c7593721d51e195b967 /src/wasm/wasm-validator.cpp | |
| parent | 17305e5d796ced05680dbca34bebef124ac9493b (diff) | |
| download | binaryen-68ff52b278acb95201967709640733a05d6a683a.tar.gz binaryen-68ff52b278acb95201967709640733a05d6a683a.tar.bz2 binaryen-68ff52b278acb95201967709640733a05d6a683a.zip | |
Fix segfault in catch validator (#6032)
The problem was if you construct a try expression which references a nonexistent tag in
one of its catch blocks, the validation code successfully identified the null pointer but
then proceeded to try to read from it.
Diffstat (limited to 'src/wasm/wasm-validator.cpp')
| -rw-r--r-- | src/wasm/wasm-validator.cpp | 50 |
1 files changed, 24 insertions, 26 deletions
diff --git a/src/wasm/wasm-validator.cpp b/src/wasm/wasm-validator.cpp index fbb57e9b0..179235fbc 100644 --- a/src/wasm/wasm-validator.cpp +++ b/src/wasm/wasm-validator.cpp @@ -2372,38 +2372,36 @@ void FunctionValidator::visitTry(Try* curr) { auto* tag = getModule()->getTagOrNull(tagName); if (!shouldBeTrue(tag != nullptr, curr, "")) { getStream() << "tag name is invalid: " << tagName << "\n"; - } - - if (!shouldBeEqual(tag->sig.results, Type(Type::none), curr, "")) { + } else if (!shouldBeEqual(tag->sig.results, Type(Type::none), curr, "")) { getStream() << "catch's tag (" << tagName << ") has result values, which is not allowed for exception handling"; - } - - auto* catchBody = curr->catchBodies[i]; - auto pops = EHUtils::findPops(catchBody); - if (tag->sig.params == Type::none) { - if (!shouldBeTrue(pops.empty(), curr, "")) { - getStream() << "catch's tag (" << tagName - << ") doesn't have any params, but there are pops"; - } } else { - if (shouldBeTrue(pops.size() == 1, curr, "")) { - auto* pop = *pops.begin(); - if (!shouldBeSubType(tag->sig.params, pop->type, curr, "")) { - getStream() - << "catch's tag (" << tagName - << ")'s pop doesn't have the same type as the tag's params"; - } - if (!shouldBeTrue( - EHUtils::containsValidDanglingPop(catchBody), curr, "")) { - getStream() << "catch's body (" << tagName - << ")'s pop's location is not valid"; + auto* catchBody = curr->catchBodies[i]; + auto pops = EHUtils::findPops(catchBody); + if (tag->sig.params == Type::none) { + if (!shouldBeTrue(pops.empty(), curr, "")) { + getStream() << "catch's tag (" << tagName + << ") doesn't have any params, but there are pops"; } } else { - getStream() << "catch's tag (" << tagName - << ") has params, so there should be a single pop within " - "the catch body"; + if (shouldBeTrue(pops.size() == 1, curr, "")) { + auto* pop = *pops.begin(); + if (!shouldBeSubType(tag->sig.params, pop->type, curr, "")) { + getStream() + << "catch's tag (" << tagName + << ")'s pop doesn't have the same type as the tag's params"; + } + if (!shouldBeTrue( + EHUtils::containsValidDanglingPop(catchBody), curr, "")) { + getStream() << "catch's body (" << tagName + << ")'s pop's location is not valid"; + } + } else { + getStream() << "catch's tag (" << tagName + << ") has params, so there should be a single pop within " + "the catch body"; + } } } } |