[PATCH] D43954: [WebAssembly] Check function type indexes

Nicholas Wilson via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Thu Mar 1 09:56:31 PST 2018 

ncw created this revision.
ncw added reviewers: sbc100, sunfish.
Herald added subscribers: llvm-commits, aheejin, jgravelle-google, dschuff, jfb.

Also update tests containing invalid Wasm files, exposed by the check

----

Split out of https://reviews.llvm.org/D43940 as requested


Repository:
  rL LLVM

https://reviews.llvm.org/D43954

Files:
  lib/Object/WasmObjectFile.cpp
  test/ObjectYAML/wasm/export_section.yaml
  test/ObjectYAML/wasm/function_section.yaml


Index: test/ObjectYAML/wasm/function_section.yaml
===================================================================
--- test/ObjectYAML/wasm/function_section.yaml
+++ test/ObjectYAML/wasm/function_section.yaml
@@ -3,6 +3,15 @@
 FileHeader:
   Version:         0x00000001
 Sections:
+  - Type:            TYPE
+    Signatures:
+      - Index:           0
+        ReturnType:      NORESULT
+        ParamTypes:
+      - Index:           1
+        ReturnType:      NORESULT
+        ParamTypes:
+          - I32
   - Type:            FUNCTION
     FunctionTypes: [ 1, 0 ]
   - Type:            CODE
Index: test/ObjectYAML/wasm/export_section.yaml
===================================================================
--- test/ObjectYAML/wasm/export_section.yaml
+++ test/ObjectYAML/wasm/export_section.yaml
@@ -3,6 +3,11 @@
 FileHeader:
   Version:         0x00000001
 Sections:
+  - Type:            TYPE
+    Signatures:
+      - Index:           0
+        ReturnType:      NORESULT
+        ParamTypes:
   - Type:            FUNCTION
     FunctionTypes: [ 0, 0 ]
   - Type:            GLOBAL
Index: lib/Object/WasmObjectFile.cpp
===================================================================
--- lib/Object/WasmObjectFile.cpp
+++ lib/Object/WasmObjectFile.cpp
@@ -768,8 +768,13 @@
 Error WasmObjectFile::parseFunctionSection(const uint8_t *Ptr, const uint8_t *End) {
   uint32_t Count = readVaruint32(Ptr);
   FunctionTypes.reserve(Count);
+  uint32_t MaxType = Signatures.size();
   while (Count--) {
-    FunctionTypes.push_back(readVaruint32(Ptr));
+    uint32_t Type = readVaruint32(Ptr);
+    if (Type >= MaxType)
+      return make_error<GenericBinaryError>("Invalid function type index",
+                                            object_error::parse_failed);
+    FunctionTypes.push_back(Type);
   }
   if (Ptr != End)
     return make_error<GenericBinaryError>("Function section ended prematurely",


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D43954.136556.patch
Type: text/x-patch
Size: 1918 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20180301/8e133640/attachment.bin>

More information about the llvm-commits mailing list