From 62b71e06eb69e00c9771d442ce7d2d93f3e03497 Mon Sep 17 00:00:00 2001
From: Thomas Lively <7121787+tlively@users.noreply.github.com>
Date: Wed, 31 Mar 2021 14:46:51 -0700
Subject: Catch bad tuple.extract index in parser (#3766)

Previously an out-of-bounds index would result in an out-of-bounds read during
finalization of the tuple.extract expression.
---
 src/wasm/wasm-s-parser.cpp | 4 ++++
 src/wasm/wasm.cpp          | 1 +
 2 files changed, 5 insertions(+)

(limited to 'src')

diff --git a/src/wasm/wasm-s-parser.cpp b/src/wasm/wasm-s-parser.cpp
index c1d25f10d..f3ab50f0c 100644
--- a/src/wasm/wasm-s-parser.cpp
+++ b/src/wasm/wasm-s-parser.cpp
@@ -2527,6 +2527,10 @@ Expression* SExpressionWasmBuilder::makeTupleExtract(Element& s) {
   auto ret = allocator.alloc<TupleExtract>();
   ret->index = atoi(s[1]->str().c_str());
   ret->tuple = parseExpression(s[2]);
+  if (ret->tuple->type != Type::unreachable &&
+      ret->index >= ret->tuple->type.size()) {
+    throw ParseException("Bad index on tuple.extract", s[1]->line, s[1]->col);
+  }
   ret->finalize();
   return ret;
 }
diff --git a/src/wasm/wasm.cpp b/src/wasm/wasm.cpp
index 18f8594b1..2ccd9a70a 100644
--- a/src/wasm/wasm.cpp
+++ b/src/wasm/wasm.cpp
@@ -872,6 +872,7 @@ void TupleExtract::finalize() {
   if (tuple->type == Type::unreachable) {
     type = Type::unreachable;
   } else {
+    assert(index < tuple->type.size());
     type = tuple->type[index];
   }
 }
-- 
cgit v1.2.3