4681371139
If module bytes end in a prefix like 0xfc (numeric prefix), we read out of bounds (pc + 1). So, if validate flag is set, check the length. Bug: chromium:1073553 Change-Id: Ia9771419d01f2315723d19dd96630172b5a7a1f5 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2161404 Reviewed-by: Clemens Backes <clemensb@chromium.org> Commit-Queue: Zhi An Ng <zhin@chromium.org> Cr-Commit-Position: refs/heads/master@{#67370}
15 lines
540 B
JavaScript
15 lines
540 B
JavaScript
// Copyright 2020 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
load('test/mjsunit/wasm/wasm-module-builder.js');
|
|
|
|
const builder = new WasmModuleBuilder();
|
|
builder.addMemory(1);
|
|
builder.addFunction(undefined, kSig_v_i) .addBodyWithEnd([
|
|
kExprI32Const, 1, kExprMemoryGrow, kMemoryZero, kNumericPrefix]);
|
|
// Intentionally add just a numeric opcode prefix without the index byte.
|
|
|
|
const b = builder.toBuffer();
|
|
WebAssembly.compile(b);
|