From 2ce31515cbb0953344dd5d67cfadb718a9abc8d8 Mon Sep 17 00:00:00 2001 From: "Alon Zakai (kripken)" Date: Mon, 29 May 2017 21:55:51 -0700 Subject: validate memory/table Address values in s-expr parsing --- src/wasm/wasm-s-parser.cpp | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) (limited to 'src/wasm/wasm-s-parser.cpp') diff --git a/src/wasm/wasm-s-parser.cpp b/src/wasm/wasm-s-parser.cpp index b2ee2a2f4..bff9232b8 100644 --- a/src/wasm/wasm-s-parser.cpp +++ b/src/wasm/wasm-s-parser.cpp @@ -1650,20 +1650,36 @@ void SExpressionWasmBuilder::parseImport(Element& s) { } } else if (im->kind == ExternalKind::Table) { if (j < inner.size() - 1) { - wasm.table.initial = atoi(inner[j++]->c_str()); + uint64_t num = atoi(inner[j++]->c_str()); + if (num > std::numeric_limits::max()) { + throw ParseException("excessive table size", s.line, s.col); + } + wasm.table.initial = num; } if (j < inner.size() - 1) { - wasm.table.max = atoi(inner[j++]->c_str()); + uint64_t num = atoi(inner[j++]->c_str()); + if (num > std::numeric_limits::max()) { + throw ParseException("excessive table size", s.line, s.col); + } + wasm.table.max = num; } else { wasm.table.max = Table::kMaxSize; } // ends with the table element type } else if (im->kind == ExternalKind::Memory) { if (j < inner.size()) { - wasm.memory.initial = atoi(inner[j++]->c_str()); + uint64_t num = atoi(inner[j++]->c_str()); + if (num > std::numeric_limits::max()) { + throw ParseException("excessive table size", s.line, s.col); + } + wasm.memory.initial = num; } if (j < inner.size()) { - wasm.memory.max = atoi(inner[j++]->c_str()); + uint64_t num = atoi(inner[j++]->c_str()); + if (num > std::numeric_limits::max()) { + throw ParseException("excessive table size", s.line, s.col); + } + wasm.memory.max = num; } } if (wasm.getImportOrNull(im->name)) throw ParseException("duplicate import", s.line, s.col); -- cgit v1.2.3