From 2471301a5209724b1ea32fab36b13410e96c0af9 Mon Sep 17 00:00:00 2001
From: Alon Zakai <azakai@google.com>
Date: Fri, 22 Mar 2024 12:27:54 -0700
Subject: [Strings] Handle overflow in string.encode_wtf16_array (#6422)

---
 src/wasm-interpreter.h | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'src/wasm-interpreter.h')

diff --git a/src/wasm-interpreter.h b/src/wasm-interpreter.h
index 1e0cf3ed0..c8031f617 100644
--- a/src/wasm-interpreter.h
+++ b/src/wasm-interpreter.h
@@ -32,6 +32,7 @@
 #include "ir/module-utils.h"
 #include "support/bits.h"
 #include "support/safe_integer.h"
+#include "support/stdckdint.h"
 #include "wasm-builder.h"
 #include "wasm-traversal.h"
 #include "wasm.h"
@@ -2001,10 +2002,12 @@ public:
     if (!refData || !ptrData) {
       trap("null ref");
     }
-    auto startVal = start.getSingleValue().getInteger();
+    auto startVal = start.getSingleValue().getUnsigned();
     auto& refValues = refData->values;
     auto& ptrValues = ptrData->values;
-    if (startVal + refValues.size() > ptrValues.size()) {
+    size_t end;
+    if (std::ckd_add<size_t>(&end, startVal, refValues.size()) ||
+        end > ptrValues.size()) {
       trap("oob");
     }
 
-- 
cgit v1.2.3