system/serenity
system/serenity
1
0
Fork 0
mirror of https://github.com/SerenityOS/serenity synced 2024-10-01 13:44:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

LibWasm: Check source and destination offsets in memory.init

Browse source 
Overflows are no longer possible.

(cherry picked from commit 3b40667413ce0885d10491589207b9556d5161d0)
This commit is contained in:
Diego 2024-06-21 16:28:27 -07:00 committed by Ali Mohammad Pur
parent da3aaac7ea
commit 0520de42f1
1 changed files with 9 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
Userland/Libraries/LibWasm/AbstractMachine/BytecodeInterpreter.cpp
View file

@ -840,16 +840,22 @@ void BytecodeInterpreter::interpret(Configuration& configuration, InstructionPoi
auto& args = instruction.arguments().get<Instruction::MemoryInitArgs>();
auto& data_address = configuration.frame().module().datas()[args.data_index.value()];
auto& data = *configuration.store().get(data_address);
auto memory_address = configuration.frame().module().memories()[args.memory_index.value()];
auto memory = configuration.store().get(memory_address);
auto count = *configuration.stack().pop().get<Value>().to<u32>();
auto source_offset = *configuration.stack().pop().get<Value>().to<u32>();
auto destination_offset = *configuration.stack().pop().get<Value>().to<u32>();
Checked<size_t> source_position = source_offset;
source_position.saturating_add(count);
Checked<size_t> destination_position = destination_offset;
destination_position.saturating_add(count);
TRAP_IF_NOT(source_position <= data.data().size());
TRAP_IF_NOT(destination_position <= memory->data().size());
if (count == 0)
return;
TRAP_IF_NOT(source_offset + count > 0);
TRAP_IF_NOT(static_cast<size_t>(source_offset + count) <= data.size());
Instruction synthetic_store_instruction {
Instructions::i32_store8,
Instruction::MemoryArgument { 0, 0, args.memory_index }