[wasm] Gracefully handle malformed custom sections in WebAssembly.Module.customSections().

R=clemensh@chromium.org BUG=chromium:789952 Change-Id: Ida627fa6cdeacff01a0ec4d20e58281f17528010 Reviewed-on: https://chromium-review.googlesource.com/800941 Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Commit-Queue: Ben Titzer <titzer@chromium.org> Cr-Commit-Position: refs/heads/master@{#49767}
2017-11-30 18:46:39 +01:00 · 2017-11-30 18:46:39 +01:00 · 163c1c8262
commit 163c1c8262
parent 5b7e1a01f4
2 changed files with 38 additions and 0 deletions
--- a/src/wasm/module-decoder.cc
+++ b/src/wasm/module-decoder.cc
@ -1544,8 +1544,13 @@ std::vector<CustomSectionOffset> DecodeCustomSections(const byte* start,
    uint32_t name_offset = decoder.pc_offset();
    decoder.consume_bytes(name_length, "section name");
    uint32_t payload_offset = decoder.pc_offset();
+    if (section_length < (payload_offset - section_start)) {
+      decoder.error("invalid section length");
+      break;
+    }
    uint32_t payload_length = section_length - (payload_offset - section_start);
    decoder.consume_bytes(payload_length);
+    if (decoder.failed()) break;
    result.push_back({{section_start, section_length},
                      {name_offset, name_length},
                      {payload_offset, payload_length}});
--- a/test/mjsunit/regress/wasm/regress-789952.js
+++ b/test/mjsunit/regress/wasm/regress-789952.js
@ -0,0 +1,33 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var string_len = 0x0ffffff0 - 19;
+
+print("Allocating backing store");
+var backing = new ArrayBuffer(string_len + 19);
+
+print("Allocating typed array buffer");
+var buffer = new Uint8Array(backing);
+
+print("Filling...");
+buffer.fill(0x41);
+
+print("Setting up array buffer");
+// Magic
+buffer.set([0x00, 0x61, 0x73, 0x6D], 0);
+// Version
+buffer.set([0x01, 0x00, 0x00, 0x00], 4);
+// kUnknownSection (0)
+buffer.set([0], 8);
+// Section length
+buffer.set([0x80, 0x80, 0x80, 0x80, 0x00],  9);
+// Name length
+buffer.set([0xDE, 0xFF, 0xFF, 0x7F], 14);
+
+print("Parsing module...");
+var m = new WebAssembly.Module(buffer);
+
+print("Triggering!");
+var c = WebAssembly.Module.customSections(m, "A".repeat(string_len + 1));
+assertEquals(0, c.length);