mirror of
https://github.com/LadybirdBrowser/ladybird.git
synced 2025-10-18 22:19:50 +00:00
a125bc97c4
Some checks are pending
CI / macOS, arm64, Sanitizer, Clang (push) Waiting to run
CI / Linux, x86_64, Fuzzers, Clang (push) Waiting to run
CI / Linux, x86_64, Sanitizer, GNU (push) Waiting to run
CI / Linux, x86_64, Sanitizer, Clang (push) Waiting to run
Package the js repl as a binary artifact / Linux, arm64 (push) Waiting to run
Package the js repl as a binary artifact / macOS, arm64 (push) Waiting to run
Package the js repl as a binary artifact / Linux, x86_64 (push) Waiting to run
Run test262 and test-wasm / run_and_update_results (push) Waiting to run
Lint Code / lint (push) Waiting to run
Label PRs with merge conflicts / auto-labeler (push) Waiting to run
Push notes / build (push) Waiting to run
Previously, the memory.fill instruction always wrote to memory 0,
ignoring the selected memory index. This caused incorrect behavior
in multi-memory modules (e.g. filling mem0 instead of mem1).
Additionally, the bounds check used `destination_offset + count`
without overflow checking, which could wrap and bypass validation.
This patch:
- Passes `args.memory_index` into store_to_memory, so the correct
memory is filled.
- Uses Checked<u32> for destination_offset + count, consistent
with memory.copy and memory.init, to prevent overflow.
Minimal repro:
(module
(memory $m0 1)
(memory $m1 1)
(func (export "go") (result i32)
;; Fill mem1[0] with 0xAA
i32.const 0
i32.const 170
i32.const 1
memory.fill (memory 1)
;; Return (mem1[0] << 8) | mem0[0]
i32.const 0
i32.load8_u (memory 1)
i32.const 8
i32.shl
i32.const 0
i32.load8_u (memory 0)
i32.or
)
)
Before fix: returns 170 (0x00AA).
After fix: returns 43520 (0xAA00).
|
||
|---|---|---|
| .. | ||
| AbstractMachine.cpp | ||
| AbstractMachine.h | ||
| BytecodeInterpreter.cpp | ||
| BytecodeInterpreter.h | ||
| Configuration.cpp | ||
| Configuration.h | ||
| Interpreter.h | ||
| Operators.h | ||
| Validator.cpp | ||
| Validator.h | ||