From 5078eea1ce0b41b01ed29459b2b4713171ad13a3 Mon Sep 17 00:00:00 2001
From: Clemens Backes <clemensb@chromium.org>
Date: Fri, 8 Jul 2022 10:36:18 +0200
Subject: [PATCH] [wasm] Limit module size in streaming decoder

Limit the allowed module size in the streaming decoder to 256kiB to
avoid OOMs on systems that are very memory constained (32-bit ASan
builds).

Drive-by: Skip linting wasm fuzzer input files, as those are binary
files.

R=ahaas@chromium.org

Bug: chromium:1334577, chromium:1337558
Change-Id: Ie5599088fd25c0bc7c8f9f1a953d31fe61a21844
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3700073
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81602}
---
 PRESUBMIT.py                               |  14 +++++++++-----
 test/fuzzer/wasm-streaming.cc              |   5 ++++-
 test/fuzzer/wasm_streaming/regress-1334577 | Bin 0 -> 15 bytes
 3 files changed, 13 insertions(+), 6 deletions(-)
 create mode 100644 test/fuzzer/wasm_streaming/regress-1334577

diff --git a/PRESUBMIT.py b/PRESUBMIT.py
index cb6888d32a..03db4c126f 100644
--- a/PRESUBMIT.py
+++ b/PRESUBMIT.py
@@ -486,14 +486,18 @@ def _CheckNoexceptAnnotations(input_api, output_api):
   """
 
   def FilterFile(affected_file):
-    return input_api.FilterSourceFile(
-        affected_file,
-        files_to_check=(r'src[\\\/].*', r'test[\\\/].*'),
+    files_to_skip = _EXCLUDED_PATHS + (
         # Skip api.cc since we cannot easily add the 'noexcept' annotation to
         # public methods.
+        r'src[\\\/]api[\\\/]api\.cc',
         # Skip src/bigint/ because it's meant to be V8-independent.
-        files_to_skip=(r'src[\\\/]api[\\\/]api\.cc',
-                       r'src[\\\/]bigint[\\\/].*'))
+        r'src[\\\/]bigint[\\\/].*',
+    )
+    return input_api.FilterSourceFile(
+        affected_file,
+        files_to_check=(r'src[\\\/].*\.cc', r'src[\\\/].*\.h',
+                        r'test[\\\/].*\.cc', r'test[\\\/].*\.h'),
+        files_to_skip=files_to_skip)
 
   # matches any class name.
   class_name = r'\b([A-Z][A-Za-z0-9_:]*)(?:::\1)?'
diff --git a/test/fuzzer/wasm-streaming.cc b/test/fuzzer/wasm-streaming.cc
index 09e45f08ba..5ac5f36e61 100644
--- a/test/fuzzer/wasm-streaming.cc
+++ b/test/fuzzer/wasm-streaming.cc
@@ -43,7 +43,7 @@ struct CompilationResult {
 
 class TestResolver : public CompilationResultResolver {
  public:
-  TestResolver(i::Isolate* isolate) : isolate_(isolate) {}
+  explicit TestResolver(i::Isolate* isolate) : isolate_(isolate) {}
 
   void OnCompilationSucceeded(i::Handle<i::WasmModuleObject> module) override {
     done_ = true;
@@ -159,6 +159,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   // the flag by itself.
   fuzzer::OneTimeEnableStagedWasmFeatures(isolate);
 
+  // Limit the maximum module size to avoid OOM.
+  FLAG_wasm_max_module_size = 256 * KB;
+
   WasmFeatures enabled_features = i::wasm::WasmFeatures::FromIsolate(i_isolate);
 
   base::Vector<const uint8_t> data_vec{data, size - 1};
diff --git a/test/fuzzer/wasm_streaming/regress-1334577 b/test/fuzzer/wasm_streaming/regress-1334577
new file mode 100644
index 0000000000000000000000000000000000000000..d174f4ea6501b586c21f429eaeffaf3f082ce256
GIT binary patch
literal 15
TcmZQbEY4+Q0D}KO!2BNoBTfcE

literal 0
HcmV?d00001