AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
26ac072990
v8/test/mjsunit/regress/wasm/regress-789952.js
Ben L. Titzer b6ca58e57e Reland "[wasm] Gracefully handle malformed custom sections in WebAssembly.Module.customSections()." 
This is a reland of 163c1c8262
Original change's description:
> [wasm] Gracefully handle malformed custom sections in WebAssembly.Module.customSections().
> 
> R=clemensh@chromium.org
> BUG=chromium:789952
> 
> Change-Id: Ida627fa6cdeacff01a0ec4d20e58281f17528010
> Reviewed-on: https://chromium-review.googlesource.com/800941
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Commit-Queue: Ben Titzer <titzer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49767}

Bug: chromium:789952
Change-Id: Ie17629b3fcbf2d5f78c83be2aa2a6b904a61f3ab
Reviewed-on: https://chromium-review.googlesource.com/803575
Commit-Queue: Ben L. Titzer <titzer@google.com>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49796}
2017-12-01 14:39:57 +00:00

41 lines
1.1 KiB
JavaScript
Raw Blame History

// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let module_size = 19;
let string_len = 0x00fffff0 - module_size;
print("Allocating backing store: " + (string_len + module_size));
let backing = new ArrayBuffer(string_len + module_size);
print("Allocating typed array buffer");
let buffer = new Uint8Array(backing);
print("Filling...");
buffer.fill(0x41);
print("Setting up array buffer");
// Magic
buffer.set([0x00, 0x61, 0x73, 0x6D], 0);
// Version
buffer.set([0x01, 0x00, 0x00, 0x00], 4);
// kUnknownSection (0)
buffer.set([0], 8);
// Section length
buffer.set([0x80, 0x80, 0x80, 0x80, 0x00], 9);
// Name length
let x = string_len + 1;
let b1 = ((x >> 0) & 0x7F) | 0x80;
let b2 = ((x >> 7) & 0x7F) | 0x80;
let b3 = ((x >> 14) & 0x7F) | 0x80;
let b4 = ((x >> 21) & 0x7F);
//buffer.set([0xDE, 0xFF, 0xFF, 0x7F], 14);
buffer.set([b1, b2, b3, b4], 14);
print("Parsing module...");
let m = new WebAssembly.Module(buffer);
print("Triggering!");
let c = WebAssembly.Module.customSections(m, "A".repeat(string_len + 1));
assertEquals(0, c.length);
Reference in New Issue View Git Blame Copy Permalink