From 2fabbae0f6ee7f306a52eaa5c36a22df35122b78 Mon Sep 17 00:00:00 2001
From: Diego <96022404+dzfrias@users.noreply.github.com>
Date: Sat, 1 Jun 2024 12:56:37 -0700
Subject: [PATCH] LibWasm: Properly check active data segment offset in
 instantiation

Before, it was possible to crash the VM during instantiation when an
active data segment requested to put data in memory at an invalid
offset.
---
 .../AbstractMachine/AbstractMachine.cpp       | 21 +++++++------------
 1 file changed, 8 insertions(+), 13 deletions(-)

diff --git a/Userland/Libraries/LibWasm/AbstractMachine/AbstractMachine.cpp b/Userland/Libraries/LibWasm/AbstractMachine/AbstractMachine.cpp
index 7d0cdab3057..feb00aae3fb 100644
--- a/Userland/Libraries/LibWasm/AbstractMachine/AbstractMachine.cpp
+++ b/Userland/Libraries/LibWasm/AbstractMachine/AbstractMachine.cpp
@@ -346,20 +346,15 @@ InstantiationResult AbstractMachine::instantiate(Module const& module, Vector<Ex
                     if (data.init.is_empty())
                         return;
                     auto address = main_module_instance.memories()[data.index.value()];
-                    if (auto instance = m_store.get(address)) {
-                        if (auto max = instance->type().limits().max(); max.has_value()) {
-                            if (*max * Constants::page_size < data.init.size() + offset) {
-                                instantiation_result = InstantiationError {
-                                    ByteString::formatted("Data segment attempted to write to out-of-bounds memory ({}) of max {} bytes",
-                                        data.init.size() + offset, instance->type().limits().max().value())
-                                };
-                                return;
-                            }
-                        }
-                        if (instance->size() < data.init.size() + offset)
-                            instance->grow(data.init.size() + offset - instance->size());
-                        instance->data().overwrite(offset, data.init.data(), data.init.size());
+                    auto instance = m_store.get(address);
+                    if (data.init.size() + offset > instance->size()) {
+                        instantiation_result = InstantiationError {
+                            ByteString::formatted("Data segment attempted to write to out-of-bounds memory ({}) in memory of size {}",
+                                offset, instance->size())
+                        };
+                        return;
                     }
+                    instance->data().overwrite(offset, data.init.data(), data.init.size());
                 },
                 [&](DataSection::Data::Passive const& passive) {
                     auto maybe_data_address = m_store.allocate_data(passive.init);