From c68fe0dd8f948c8f980616d6b527182cd5c682c3 Mon Sep 17 00:00:00 2001 From: Alon Zakai Date: Tue, 28 Nov 2017 13:32:36 -0800 Subject: Binary fuzz fix: disallow popping from outside a block (#1305) * remove unneeded code to handle a br to the return from the function. Now that we use getBlockOrSingleton there, it does that for us anyhow * fix a fuzz bug of popping from outside a block --- src/wasm/wasm-binary.cpp | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'src') diff --git a/src/wasm/wasm-binary.cpp b/src/wasm/wasm-binary.cpp index 2d1e8734c..234857442 100644 --- a/src/wasm/wasm-binary.cpp +++ b/src/wasm/wasm-binary.cpp @@ -2175,6 +2175,9 @@ BinaryConsts::ASTNodes WasmBinaryBuilder::readExpression(Expression*& curr) { } void WasmBinaryBuilder::pushBlockElements(Block* curr, size_t start, size_t end) { + assert(start <= expressionStack.size()); + assert(start <= end); + assert(end <= expressionStack.size()); // the first dropped element may be consumed by code later - it was on the stack first, // and is the only thing left on the stack. there must be just one thing on the stack // since we are at the end of a block context. note that we may need to drop more than @@ -2255,6 +2258,9 @@ Expression* WasmBinaryBuilder::getBlockOrSingleton(WasmType type) { auto start = expressionStack.size(); processExpressions(); size_t end = expressionStack.size(); + if (end < start) { + throw ParseException("block cannot pop from outside"); + } breakStack.pop_back(); auto* block = allocator.alloc(); pushBlockElements(block, start, end); -- cgit v1.2.3