From cf908c7976d02a9d3d4810a2b5a04e502e4efed2 Mon Sep 17 00:00:00 2001
From: Thomas Lively <tlively@google.com>
Date: Fri, 11 Nov 2022 12:08:08 -0800
Subject: Fix two fuzz bugs with ArrayNewSeg (#5242)

First, we forgot to note the type annotation on `ArrayNewSeg` instructions, so
in small modules where these are the only annotated instructions, the type
section would be incomplete.

Second, in the interpreter we were reserving space for the array before checking
that the segment access was valid. This could cause huge allocations that threw
bad_alloc exceptions before the interpreter could get around to trapping. Fix
the problem by reserving the array after validating the arguements.

Fixes #5236.
---
 test/lit/arrays.wast | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

(limited to 'test/lit/arrays.wast')

diff --git a/test/lit/arrays.wast b/test/lit/arrays.wast
index 4a262ef13..bccbaeb09 100644
--- a/test/lit/arrays.wast
+++ b/test/lit/arrays.wast
@@ -12,6 +12,15 @@
 (module
  ;; CHECK:      (type $arrayref_=>_i32 (func (param arrayref) (result i32)))
 
+ ;; CHECK:      (type $byte-array (array (mut i8)))
+ ;; ROUNDTRIP:      (type $arrayref_=>_i32 (func (param arrayref) (result i32)))
+
+ ;; ROUNDTRIP:      (type $byte-array (array (mut i8)))
+ (type $byte-array (array (mut i8)))
+ ;; CHECK:      (type $func-array (array (mut funcref)))
+ ;; ROUNDTRIP:      (type $func-array (array (mut funcref)))
+ (type $func-array (array (mut funcref)))
+
  ;; CHECK:      (type $ref|array|_=>_i32 (func (param (ref array)) (result i32)))
 
  ;; CHECK:      (type $nullref_=>_i32 (func (param nullref) (result i32)))
@@ -20,9 +29,7 @@
 
  ;; CHECK:      (type $none_=>_ref|$func-array| (func (result (ref $func-array))))
 
- ;; CHECK:      (type $byte-array (array (mut i8)))
- ;; ROUNDTRIP:      (type $arrayref_=>_i32 (func (param arrayref) (result i32)))
-
+ ;; CHECK:      (data "hello")
  ;; ROUNDTRIP:      (type $ref|array|_=>_i32 (func (param (ref array)) (result i32)))
 
  ;; ROUNDTRIP:      (type $nullref_=>_i32 (func (param nullref) (result i32)))
@@ -31,13 +38,6 @@
 
  ;; ROUNDTRIP:      (type $none_=>_ref|$func-array| (func (result (ref $func-array))))
 
- ;; ROUNDTRIP:      (type $byte-array (array (mut i8)))
- (type $byte-array (array (mut i8)))
- ;; CHECK:      (type $func-array (array (mut funcref)))
- ;; ROUNDTRIP:      (type $func-array (array (mut funcref)))
- (type $func-array (array (mut funcref)))
-
- ;; CHECK:      (data "hello")
  ;; ROUNDTRIP:      (data "hello")
  (data "hello")
  ;; CHECK:      (elem func $len $impossible-len $unreachable-len)
-- 
cgit v1.2.3