[wasm-gc] Reject too large supertypes

We use 0xffffffff as a sentinel for "no supertype". Therefore we should reject it as we parse it. We implement this by rejecting supertypes outside V8's type definition limit. Bug: v8:7748 Change-Id: I7942d94073d8f7350528fb0e364e91f7359c8cec Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4110750 Auto-Submit: Manos Koukoutos <manoskouk@chromium.org> Reviewed-by: Matthias Liedtke <mliedtke@chromium.org> Commit-Queue: Matthias Liedtke <mliedtke@chromium.org> Cr-Commit-Position: refs/heads/main@{#84934}
2022-12-19 13:06:54 +01:00 · 2022-12-19 13:06:54 +01:00 · 8972c42a39
commit 8972c42a39
parent 9235ec6302
2 changed files with 22 additions and 3 deletions
--- a/src/wasm/module-decoder-impl.h
+++ b/src/wasm/module-decoder-impl.h
@ -606,10 +606,16 @@ class ModuleDecoderTemplate : public Decoder {
      constexpr uint32_t kMaximumSupertypes = 1;
      uint32_t supertype_count =
          consume_count("supertype count", kMaximumSupertypes);
-      uint32_t supertype = supertype_count == 1
-                               ? consume_u32v("supertype", tracer_)
-                               : kNoSuperType;
+      uint32_t supertype = kNoSuperType;
      if (supertype_count == 1) {
+        supertype = consume_u32v("supertype", tracer_);
+        if (supertype >= kV8MaxWasmTypes) {
+          errorf(
+              "supertype %u is greater than the maximum number of type "
+              "definitions %zu supported by V8",
+              supertype, kV8MaxWasmTypes);
+          return {};
+        }
        tracer_.Description(supertype);
        tracer_.NextLine();
      }
--- a/test/unittests/wasm/module-decoder-unittest.cc
+++ b/test/unittests/wasm/module-decoder-unittest.cc
@ -1078,6 +1078,19 @@ TEST_F(WasmModuleVerifyTest, SuperTypeDeclarationWith0Supertypes) {
  EXPECT_VERIFIES(zero_supertypes);
 }

+TEST_F(WasmModuleVerifyTest, NoSupertypeSupertype) {
+  WASM_FEATURE_SCOPE(typed_funcref);
+  WASM_FEATURE_SCOPE(gc);
+  static const byte no_supertype[] = {
+      SECTION(Type, ENTRY_COUNT(1),          // --
+              kWasmSubtypeCode, 1,           // supertype count
+              0xff, 0xff, 0xff, 0xff, 0x0f,  // supertype = "kNoSuperType"
+              kWasmArrayTypeCode, kI32Code, 0)};
+
+  EXPECT_FAILURE_WITH_MSG(
+      no_supertype, "is greater than the maximum number of type definitions");
+}
+
 TEST_F(WasmModuleVerifyTest, ZeroExceptions) {
  static const byte data[] = {SECTION(Tag, ENTRY_COUNT(0))};
  ModuleResult result = DecodeModule(base::ArrayVector(data));