WebAssembly: fix unknown section name handling, and check for section size overflow
authorjfbastien@apple.com <jfbastien@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 25 Oct 2016 21:10:46 +0000 (21:10 +0000)
committerjfbastien@apple.com <jfbastien@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 25 Oct 2016 21:10:46 +0000 (21:10 +0000)
https://bugs.webkit.org/show_bug.cgi?id=163959

See: https://github.com/WebAssembly/design/blob/master/BinaryEncoding.md#high-level-structure

Name length and name are already included in the payload length.

Reviewed by Filip Pizlo.

* wasm/WasmModuleParser.cpp:
(JSC::Wasm::ModuleParser::parse):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@207843 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/wasm/WasmModuleParser.cpp

index 2b8346b..8908c3d 100644 (file)
@@ -1,3 +1,17 @@
+2016-10-25  JF Bastien  <jfbastien@apple.com>
+
+        WebAssembly: fix unknown section name handling, and check for section size overflow
+        https://bugs.webkit.org/show_bug.cgi?id=163959
+
+        See: https://github.com/WebAssembly/design/blob/master/BinaryEncoding.md#high-level-structure
+
+        Name length and name are already included in the payload length.
+
+        Reviewed by Filip Pizlo.
+
+        * wasm/WasmModuleParser.cpp:
+        (JSC::Wasm::ModuleParser::parse):
+
 2016-10-25  Christopher Reid  <Christopher.Reid@am.sony.com>
 
         jsc.cpp is leaking memory allocated by readline in runInteractive
index 276d897..da9d092 100644 (file)
@@ -88,24 +88,6 @@ bool ModuleParser::parse()
         if (sectionByte) {
             if (sectionByte < Sections::Unknown)
                 section = static_cast<Sections::Section>(sectionByte);
-        } else {
-            uint32_t sectionNameLength;
-            if (!parseVarUInt32(sectionNameLength)) {
-                // FIXME improve error message https://bugs.webkit.org/show_bug.cgi?id=163919
-                m_errorMessage = "couldn't get section name length";
-                return false;
-            }
-
-            // Make sure we can read up to the section's size.
-            if (m_offset + sectionNameLength + WTF::LEBDecoder::max32BitLEBByteLength >= length()) {
-                // FIXME improve error message https://bugs.webkit.org/show_bug.cgi?id=163919
-                m_errorMessage = "section length is bigger than actual size";
-                return false;
-            }
-
-            // We don't support any custom sections yet.
-
-            m_offset += sectionNameLength;
         }
 
         if (!Sections::validateOrder(previousSection, section)) {
@@ -121,7 +103,13 @@ bool ModuleParser::parse()
             return false;
         }
 
-        unsigned end = m_offset + sectionLength;
+        if (sectionLength > length() - m_offset) {
+            // FIXME improve error message https://bugs.webkit.org/show_bug.cgi?id=163919
+            m_errorMessage = "section content would overflow Module's size";
+            return false;
+        }
+
+        auto end = m_offset + sectionLength;
 
         switch (section) {
 
@@ -174,6 +162,7 @@ bool ModuleParser::parse()
         default: {
             if (verbose)
                 dataLogLn("Unknown section, skipping.");
+            // Ignore section's name LEB and bytes: they're already included in sectionLength.
             m_offset += sectionLength;
             break;
         }