From dc2c05153c57b55fdd949a8827d4c8f648db8484 Mon Sep 17 00:00:00 2001 From: Alon Zakai Date: Thu, 14 Dec 2017 20:23:12 -0600 Subject: Fix 2 binary fuzz bugs (#1323) * Check if there is a currFunction before using it (we need it for some stacky code; a valid wasm wouldn't need a function in that location anyhow, as what can be put in a memory/table offset is very limited). * Huge alignment led us to do a power of 2 shift that is undefined behavior. Also adds a test facility to check we don't crash on testcases. --- src/wasm/wasm-binary.cpp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/wasm/wasm-binary.cpp b/src/wasm/wasm-binary.cpp index 234857442..868fad1f6 100644 --- a/src/wasm/wasm-binary.cpp +++ b/src/wasm/wasm-binary.cpp @@ -2202,6 +2202,9 @@ void WasmBinaryBuilder::pushBlockElements(Block* curr, size_t start, size_t end) expressionStack.resize(start); // if we have a consumable item and need it, use it if (consumable != NONE && curr->list.back()->type == none) { + if (!currFunction) { + throw ParseException("need an extra var in a non-function context, invalid wasm"); + } Builder builder(wasm); auto* item = curr->list[consumable]->cast()->value; auto temp = builder.addVar(currFunction, item->type); @@ -2464,7 +2467,9 @@ void WasmBinaryBuilder::visitSetGlobal(SetGlobal *curr) { } void WasmBinaryBuilder::readMemoryAccess(Address& alignment, size_t bytes, Address& offset) { - alignment = Pow2(getU32LEB()); + auto rawAlignment = getU32LEB(); + if (rawAlignment > 4) throw ParseException("Alignment must be of a reasonable size"); + alignment = Pow2(rawAlignment); offset = getU32LEB(); } -- cgit v1.2.3