mirrors/ladybird
0
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2025-08-08 09:09:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

LibWasm: Properly check active data segment offset in instantiation

Browse source 
Before, it was possible to crash the VM during instantiation when an
active data segment requested to put data in memory at an invalid
offset.
This commit is contained in:
Diego 2024-06-01 12:56:37 -07:00 committed by Ali Mohammad Pur
commit 2fabbae0f6
Notes: sideshowbarker 2024-07-17 22:41:14 +09:00
1 changed files with 8 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

21
Userland/Libraries/LibWasm/AbstractMachine/AbstractMachine.cpp
View file

@ -346,20 +346,15 @@ InstantiationResult AbstractMachine::instantiate(Module const& module, Vector<Ex
if (data.init.is_empty())
return;
auto address = main_module_instance.memories()[data.index.value()];
if (auto instance = m_store.get(address)) {
if (auto max = instance->type().limits().max(); max.has_value()) {
if (*max * Constants::page_size < data.init.size() + offset) {
instantiation_result = InstantiationError {
ByteString::formatted("Data segment attempted to write to out-of-bounds memory ({}) of max {} bytes",
data.init.size() + offset, instance->type().limits().max().value())
};
return;
}
}
if (instance->size() < data.init.size() + offset)
instance->grow(data.init.size() + offset - instance->size());
instance->data().overwrite(offset, data.init.data(), data.init.size());
auto instance = m_store.get(address);
if (data.init.size() + offset > instance->size()) {
instantiation_result = InstantiationError {
ByteString::formatted("Data segment attempted to write to out-of-bounds memory ({}) in memory of size {}",
offset, instance->size())
};
return;
}
instance->data().overwrite(offset, data.init.data(), data.init.size());
},
[&](DataSection::Data::Passive const& passive) {
auto maybe_data_address = m_store.allocate_data(passive.init);