diff options
| author | Alon Zakai <azakai@google.com> | 2024-12-02 12:20:55 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-12-02 12:20:55 -0800 |
| commit | 31c988b30556ef000bd2212754d7fc5beebf08d2 (patch) | |
| tree | a8e3b30ad12c71aade983b9dc393b0cbc13556d7 /src | |
| parent | b1c5a007f3986c11916e8ac4a84c41c01d5e04bb (diff) | |
| download | binaryen-31c988b30556ef000bd2212754d7fc5beebf08d2.tar.gz binaryen-31c988b30556ef000bd2212754d7fc5beebf08d2.tar.bz2 binaryen-31c988b30556ef000bd2212754d7fc5beebf08d2.zip | |
[GC] Fix trapping on array.new_data of dropped segments of offset > 0 (#7124)
Even if the size is 0, if the offset is > 0 then we should trap.
Diffstat (limited to 'src')
| -rw-r--r-- | src/wasm-interpreter.h | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/src/wasm-interpreter.h b/src/wasm-interpreter.h index 81531e27c..937248d81 100644 --- a/src/wasm-interpreter.h +++ b/src/wasm-interpreter.h @@ -4022,16 +4022,25 @@ public: const auto& seg = *wasm.getDataSegment(curr->segment); auto elemBytes = element.getByteSize(); - auto end = offset + size * elemBytes; - if ((size != 0ull && droppedDataSegments.count(curr->segment)) || - end > seg.data.size()) { + +#pragma GCC diagnostic push +#pragma GCC diagnostic ignored "-Wmaybe-uninitialized" + + uint64_t end; + if (std::ckd_add(&end, offset, size * elemBytes) || end > seg.data.size()) { trap("out of bounds segment access in array.new_data"); } + if (droppedDataSegments.count(curr->segment) && end > 0) { + trap("dropped segment access in array.new_data"); + } contents.reserve(size); for (Index i = offset; i < end; i += elemBytes) { auto addr = (void*)&seg.data[i]; contents.push_back(this->makeFromMemory(addr, element)); } + +#pragma GCC diagnostic pop + return self()->makeGCData(std::move(contents), curr->type); } Flow visitArrayNewElem(ArrayNewElem* curr) { |