AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[wasm] Validate the length of strings before validating the string.

Browse Source 
BUG=chromium:644182
R=titzer@chromium.org
TEST=module-decoder-unittest.cc:ExportNameWithInvalidStringLength

Review-Url: https://codereview.chromium.org/2310023002
Cr-Commit-Position: refs/heads/master@{#39199}
This commit is contained in:
ahaas 2016-09-06 02:50:12 -07:00 committed by Commit bot
parent 17dbaff9c7
commit 1a5f8fa536
2 changed files with 20 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/wasm/module-decoder.cc
View File

@ -587,10 +587,13 @@ class ModuleDecoder : public Decoder {
*length = consume_u32v("string length");
uint32_t offset = pc_offset();
TRACE(" +%u %-20s: (%u bytes)\n", offset, "string", *length);
if (validate_utf8 && !unibrow::Utf8::Validate(pc_, *length)) {
error(pc_, "no valid UTF-8 string");
}
const byte* string_start = pc_;
// Consume bytes before validation to guarantee that the string is not oob.
consume_bytes(*length);
if (ok() && validate_utf8 &&
!unibrow::Utf8::Validate(string_start, *length)) {
error(string_start, "no valid UTF-8 string");
}
return offset;
}

14
test/unittests/wasm/module-decoder-unittest.cc
View File

@ -1023,6 +1023,20 @@ TEST_F(WasmModuleVerifyTest, ExportTableOne) {
if (result.val) delete result.val;
}
TEST_F(WasmModuleVerifyTest, ExportNameWithInvalidStringLength) {
static const byte data[] = {// signatures
SIGNATURES_SECTION_VOID_VOID,
ONE_EMPTY_FUNCTION,
SECTION(EXPORT_TABLE, 12),
1, // exports
FUNC_INDEX(0), // --
NAME_LENGTH(84), // invalid string length
'e', // --
ONE_EMPTY_BODY};
EXPECT_FAILURE(data);
}
TEST_F(WasmModuleVerifyTest, ExportTableTwo) {
static const byte data[] = {// signatures
SIGNATURES_SECTION_VOID_VOID,