Validate reading prefixed opcodes

If module bytes end in a prefix like 0xfc (numeric prefix), we read out of bounds (pc + 1). So, if validate flag is set, check the length. Bug: chromium:1073553 Change-Id: Ia9771419d01f2315723d19dd96630172b5a7a1f5 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2161404 Reviewed-by: Clemens Backes <clemensb@chromium.org> Commit-Queue: Zhi An Ng <zhin@chromium.org> Cr-Commit-Position: refs/heads/master@{#67370}
2020-04-23 15:32:21 -07:00 · 2020-04-23 15:32:21 -07:00 · 4681371139
commit 4681371139
parent a7a881495e
2 changed files with 23 additions and 2 deletions
--- a/src/wasm/decoder.h
+++ b/src/wasm/decoder.h
@ -148,8 +148,15 @@ class Decoder {
        errorf(pc, "Invalid SIMD opcode %d", index);
      }
    } else {
-      index = *(pc + 1);
-      *length = 1;
+      if (!validate || validate_size(pc, 2, "expected 2 bytes")) {
+        DCHECK(validate_size(pc, 2, "expected 2 bytes"));
+        index = *(pc + 1);
+        *length = 1;
+      } else {
+        // If kValidate and size validation fails.
+        index = 0;
+        *length = 0;
+      }
    }
    return static_cast<WasmOpcode>((*pc) << 8 | index);
  }
--- a/test/mjsunit/regress/wasm/regress-1073553.js
+++ b/test/mjsunit/regress/wasm/regress-1073553.js
@ -0,0 +1,14 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+const builder = new WasmModuleBuilder();
+builder.addMemory(1);
+builder.addFunction(undefined, kSig_v_i) .addBodyWithEnd([
+    kExprI32Const, 1, kExprMemoryGrow, kMemoryZero, kNumericPrefix]);
+// Intentionally add just a numeric opcode prefix without the index byte.
+
+const b = builder.toBuffer();
+WebAssembly.compile(b);