AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
485786b43a
v8/test/mjsunit/regress/wasm/regression-734246.js
Clemens Hammacher 6269b2be1e [wasm] Avoid constructing overflowing WireBytesRefs 
The constructor of WireBytesRef checks that offset+length is still in
the uint32_t range. This CL avoids triggering this check on illegally
size strings.

R=ahaas@chromium.org
BUG=chromium:734246

Change-Id: Iab5c7013aa3e0ac5060bc4733e712a1652679b1a
Reviewed-on: https://chromium-review.googlesource.com/539402
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46050}
2017-06-20 13:48:44 +00:00

17 lines
516 B
JavaScript
Raw Blame History

// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
load('test/mjsunit/wasm/wasm-constants.js');
load('test/mjsunit/wasm/wasm-module-builder.js');
let builder = new WasmModuleBuilder();
builder.addExplicitSection([
kUnknownSectionCode,
// section length
0x0f,
// name length: 0xffffffff
0xf9, 0xff, 0xff, 0xff, 0x0f
]);
assertThrows(() => builder.instantiate(), WebAssembly.CompileError);
Reference in New Issue View Git Blame Copy Permalink