Bug 201016

Summary: Wasm::FunctionParser is failing to enforce maxFunctionLocals.
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, msaboff, saam, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 201006    
Attachments:
Description Flags
proposed patch.
none
proposed patch. ysuzuki: review+

Mark Lam
Reported 2019-08-21 18:22:10 PDT
Currently, Wasm::FunctionParser is allowing maxFunctionParams + maxFunctionLocals * maxFunctionLocals ... locals, which is 0x9502FCE8. It should be enforcing max locals of maxFunctionLocals instead. <rdar://problem/54579911>
Attachments
proposed patch. (4.61 KB, patch)
2019-08-21 18:24 PDT, Mark Lam 		no flags
DetailsFormatted DiffDiff
proposed patch. (4.66 KB, patch)
2019-08-21 18:27 PDT, Mark Lam 		ysuzuki: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2019-08-21 18:24:49 PDT
Created attachment 376961 [details] proposed patch.
Mark Lam
Comment 2 2019-08-21 18:27:25 PDT
Created attachment 376962 [details] proposed patch.
Yusuke Suzuki
Comment 3 2019-08-21 18:31:01 PDT
Comment on attachment 376962 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=376962&action=review r=me with comment. > Source/JavaScriptCore/wasm/WasmFunctionParser.h:118 > + uint32_t functionSectionsCount; I think this is not a number of function-sections. So maybe, localGroupCount is better. > Source/JavaScriptCore/wasm/WasmFunctionParser.h:121 > + WASM_PARSER_FAIL_IF(!parseVarUInt32(functionSectionsCount), "can't get number of Function sections"); Ditto.
Mark Lam
Comment 4 2019-08-21 18:38:41 PDT
Thanks for the review. (In reply to Yusuke Suzuki from comment #3) > Comment on attachment 376962 [details] > > Source/JavaScriptCore/wasm/WasmFunctionParser.h:118 > > + uint32_t functionSectionsCount; > > I think this is not a number of function-sections. So maybe, localGroupCount > is better. Fixed. > > Source/JavaScriptCore/wasm/WasmFunctionParser.h:121 > > + WASM_PARSER_FAIL_IF(!parseVarUInt32(functionSectionsCount), "can't get number of Function sections"); > > Ditto. Fixed.
Mark Lam
Comment 5 2019-08-21 18:43:06 PDT
Landed in r248989: <http://trac.webkit.org/r248989>.
Note You need to log in before you can comment on or make changes to this bug.