Title: [207843] trunk/Source/_javascript_Core
- Revision
- 207843
- Author
- [email protected]
- Date
- 2016-10-25 14:10:46 -0700 (Tue, 25 Oct 2016)
Log Message
WebAssembly: fix unknown section name handling, and check for section size overflow
https://bugs.webkit.org/show_bug.cgi?id=163959
See: https://github.com/WebAssembly/design/blob/master/BinaryEncoding.md#high-level-structure
Name length and name are already included in the payload length.
Reviewed by Filip Pizlo.
* wasm/WasmModuleParser.cpp:
(JSC::Wasm::ModuleParser::parse):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (207842 => 207843)
--- trunk/Source/_javascript_Core/ChangeLog 2016-10-25 20:33:46 UTC (rev 207842)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-10-25 21:10:46 UTC (rev 207843)
@@ -1,3 +1,17 @@
+2016-10-25 JF Bastien <[email protected]>
+
+ WebAssembly: fix unknown section name handling, and check for section size overflow
+ https://bugs.webkit.org/show_bug.cgi?id=163959
+
+ See: https://github.com/WebAssembly/design/blob/master/BinaryEncoding.md#high-level-structure
+
+ Name length and name are already included in the payload length.
+
+ Reviewed by Filip Pizlo.
+
+ * wasm/WasmModuleParser.cpp:
+ (JSC::Wasm::ModuleParser::parse):
+
2016-10-25 Christopher Reid <[email protected]>
jsc.cpp is leaking memory allocated by readline in runInteractive
Modified: trunk/Source/_javascript_Core/wasm/WasmModuleParser.cpp (207842 => 207843)
--- trunk/Source/_javascript_Core/wasm/WasmModuleParser.cpp 2016-10-25 20:33:46 UTC (rev 207842)
+++ trunk/Source/_javascript_Core/wasm/WasmModuleParser.cpp 2016-10-25 21:10:46 UTC (rev 207843)
@@ -88,24 +88,6 @@
if (sectionByte) {
if (sectionByte < Sections::Unknown)
section = static_cast<Sections::Section>(sectionByte);
- } else {
- uint32_t sectionNameLength;
- if (!parseVarUInt32(sectionNameLength)) {
- // FIXME improve error message https://bugs.webkit.org/show_bug.cgi?id=163919
- m_errorMessage = "couldn't get section name length";
- return false;
- }
-
- // Make sure we can read up to the section's size.
- if (m_offset + sectionNameLength + WTF::LEBDecoder::max32BitLEBByteLength >= length()) {
- // FIXME improve error message https://bugs.webkit.org/show_bug.cgi?id=163919
- m_errorMessage = "section length is bigger than actual size";
- return false;
- }
-
- // We don't support any custom sections yet.
-
- m_offset += sectionNameLength;
}
if (!Sections::validateOrder(previousSection, section)) {
@@ -121,8 +103,14 @@
return false;
}
- unsigned end = m_offset + sectionLength;
+ if (sectionLength > length() - m_offset) {
+ // FIXME improve error message https://bugs.webkit.org/show_bug.cgi?id=163919
+ m_errorMessage = "section content would overflow Module's size";
+ return false;
+ }
+ auto end = m_offset + sectionLength;
+
switch (section) {
case Sections::Memory: {
@@ -174,6 +162,7 @@
default: {
if (verbose)
dataLogLn("Unknown section, skipping.");
+ // Ignore section's name LEB and bytes: they're already included in sectionLength.
m_offset += sectionLength;
break;
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
