[wasm] Enforce WASM function body size limitations in module decoder path.

R=clemensh@chromium.org Bug: v8:6959 Change-Id: I27164598dddf58da7f3040b7139c4ae99c52800f Reviewed-on: https://chromium-review.googlesource.com/733097 Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Commit-Queue: Ben Titzer <titzer@chromium.org> Cr-Commit-Position: refs/heads/master@{#48836}
2017-10-23 15:24:15 +02:00 · 2017-10-23 15:24:15 +02:00 · 5814125c8f
commit 5814125c8f
parent 049844a1c2
2 changed files with 31 additions and 0 deletions
--- a/src/wasm/module-decoder.cc
+++ b/src/wasm/module-decoder.cc
@ -712,7 +712,13 @@ class ModuleDecoderImpl : public Decoder {
    uint32_t functions_count = consume_u32v("functions count");
    CheckFunctionsCount(functions_count, pos);
    for (uint32_t i = 0; ok() && i < functions_count; ++i) {
+      const byte* pos = pc();
      uint32_t size = consume_u32v("body size");
+      if (size > kV8MaxWasmFunctionSize) {
+        errorf(pos, "size %u > maximum function size %zu", size,
+               kV8MaxWasmFunctionSize);
+        return;
+      }
      uint32_t offset = pc_offset();
      consume_bytes(size, "function body");
      if (failed()) break;
--- a/test/unittests/wasm/module-decoder-unittest.cc
+++ b/test/unittests/wasm/module-decoder-unittest.cc
@ -1503,6 +1503,31 @@ TEST_F(WasmModuleVerifyTest, Regression_738097) {
  EXPECT_FAILURE(data);
 }

+TEST_F(WasmModuleVerifyTest, FunctionBodySizeLimit) {
+  const uint32_t delta = 3;
+  for (uint32_t body_size = kV8MaxWasmFunctionSize - delta;
+       body_size < kV8MaxWasmFunctionSize + delta; body_size++) {
+    byte data[] = {
+        SIGNATURES_SECTION(1, SIG_ENTRY_v_v),  // --
+        FUNCTION_SIGNATURES_SECTION(1, 0),     // --
+        kCodeSectionCode,                      // code section
+        U32V_5(1 + body_size + 5),             // section size
+        1,                                     // # functions
+        U32V_5(body_size)                      // body size
+    };
+    size_t total = sizeof(data) + body_size;
+    byte* buffer = reinterpret_cast<byte*>(calloc(1, total));
+    memcpy(buffer, data, sizeof(data));
+    ModuleResult result = DecodeModule(buffer, buffer + total);
+    if (body_size <= kV8MaxWasmFunctionSize) {
+      EXPECT_TRUE(result.ok());
+    } else {
+      EXPECT_FALSE(result.ok());
+    }
+    free(buffer);
+  }
+}
+
 TEST_F(WasmModuleVerifyTest, FunctionBodies_empty) {
  static const byte data[] = {
      EMPTY_SIGNATURES_SECTION,           // --