From bd6ee060d20f2432fb6240593ed92bad7875b99a Mon Sep 17 00:00:00 2001
From: Diego <96022404+dzfrias@users.noreply.github.com>
Date: Fri, 7 Jun 2024 08:05:32 -0700
Subject: [PATCH] LibWasm: Check data section offset for overflow during
 instantiation

---
 .../Libraries/LibWasm/AbstractMachine/AbstractMachine.cpp     | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Userland/Libraries/LibWasm/AbstractMachine/AbstractMachine.cpp b/Userland/Libraries/LibWasm/AbstractMachine/AbstractMachine.cpp
index 73d46f8d844..0e7fc3bb431 100644
--- a/Userland/Libraries/LibWasm/AbstractMachine/AbstractMachine.cpp
+++ b/Userland/Libraries/LibWasm/AbstractMachine/AbstractMachine.cpp
@@ -345,7 +345,9 @@ InstantiationResult AbstractMachine::instantiate(Module const& module, Vector<Ex
                         return;
                     auto address = main_module_instance.memories()[data.index.value()];
                     auto instance = m_store.get(address);
-                    if (data.init.size() + offset > instance->size()) {
+                    Checked<size_t> checked_offset = data.init.size();
+                    checked_offset += offset;
+                    if (checked_offset.has_overflow() || checked_offset > instance->size()) {
                         instantiation_result = InstantiationError {
                             ByteString::formatted("Data segment attempted to write to out-of-bounds memory ({}) in memory of size {}",
                                 offset, instance->size())