[wasm] Check that a function body exists before verifying it.

R=clemensh@chromium.org BUG=chromium:737069 Change-Id: Ic651c8e84eb8d3e1181355cf44aadf4c4009245b Reviewed-on: https://chromium-review.googlesource.com/552145 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#46285}
2017-06-28 14:04:42 +02:00 · 2017-06-28 14:04:42 +02:00 · a15030304a
commit a15030304a
parent 36b332518f
2 changed files with 37 additions and 2 deletions
--- a/src/wasm/module-decoder.cc
+++ b/src/wasm/module-decoder.cc
@ -670,14 +670,14 @@ class ModuleDecoder : public Decoder {
          &module_->functions[i + module_->num_imported_functions];
      uint32_t size = consume_u32v("body size");
      function->code = {pc_offset(), size};
-      if (verify_functions) {
+      consume_bytes(size, "function body");
+      if (ok() && verify_functions) {
        ModuleBytesEnv module_env(module_.get(), nullptr,
                                  ModuleWireBytes(start_, end_));
        VerifyFunctionBody(module_->signature_zone->allocator(),
                           i + module_->num_imported_functions, &module_env,
                           function);
      }
-      consume_bytes(size, "function body");
    }
  }

--- a/test/mjsunit/regress/wasm/regression-737069.js
+++ b/test/mjsunit/regress/wasm/regression-737069.js
@ -0,0 +1,35 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-wasm
+
+load("test/mjsunit/wasm/wasm-constants.js");
+load("test/mjsunit/wasm/wasm-module-builder.js");
+
+let binary = new Binary;
+
+binary.emit_header();
+binary.emit_section(kTypeSectionCode, section => {
+  section.emit_u32v(1); // number of types
+  section.emit_u8(kWasmFunctionTypeForm);
+  section.emit_u32v(0); // number of parameters
+  section.emit_u32v(0); // number of returns
+});
+binary.emit_section(kFunctionSectionCode, section => {
+  section.emit_u32v(1); // number of functions
+  section.emit_u32v(0); // type index
+});
+
+binary.emit_u8(kCodeSectionCode);
+binary.emit_u8(0x02); // section length
+binary.emit_u8(0x01); // number of functions
+binary.emit_u8(0x40); // function body size
+// Function body is missing here.
+
+let buffer = new ArrayBuffer(binary.length);
+let view = new Uint8Array(buffer);
+for (let i = 0; i < binary.length; i++) {
+  view[i] = binary[i] | 0;
+}
+WebAssembly.validate(buffer);