mirror of
https://github.com/SerenityOS/serenity
synced 2024-10-01 13:44:21 +00:00
LibWasm: Check source and destination offsets in memory.init
Overflows are no longer possible. (cherry picked from commit 3b40667413ce0885d10491589207b9556d5161d0)
This commit is contained in:
parent
da3aaac7ea
commit
0520de42f1
|
@ -840,16 +840,22 @@ void BytecodeInterpreter::interpret(Configuration& configuration, InstructionPoi
|
|||
auto& args = instruction.arguments().get<Instruction::MemoryInitArgs>();
|
||||
auto& data_address = configuration.frame().module().datas()[args.data_index.value()];
|
||||
auto& data = *configuration.store().get(data_address);
|
||||
auto memory_address = configuration.frame().module().memories()[args.memory_index.value()];
|
||||
auto memory = configuration.store().get(memory_address);
|
||||
auto count = *configuration.stack().pop().get<Value>().to<u32>();
|
||||
auto source_offset = *configuration.stack().pop().get<Value>().to<u32>();
|
||||
auto destination_offset = *configuration.stack().pop().get<Value>().to<u32>();
|
||||
|
||||
Checked<size_t> source_position = source_offset;
|
||||
source_position.saturating_add(count);
|
||||
Checked<size_t> destination_position = destination_offset;
|
||||
destination_position.saturating_add(count);
|
||||
TRAP_IF_NOT(source_position <= data.data().size());
|
||||
TRAP_IF_NOT(destination_position <= memory->data().size());
|
||||
|
||||
if (count == 0)
|
||||
return;
|
||||
|
||||
TRAP_IF_NOT(source_offset + count > 0);
|
||||
TRAP_IF_NOT(static_cast<size_t>(source_offset + count) <= data.size());
|
||||
|
||||
Instruction synthetic_store_instruction {
|
||||
Instructions::i32_store8,
|
||||
Instruction::MemoryArgument { 0, 0, args.memory_index }
|
||||
|
|
Loading…
Reference in a new issue