RESOLVED FIXED 201016
Wasm::FunctionParser is failing to enforce maxFunctionLocals. 
https://bugs.webkit.org/show_bug.cgi?id=201016
Summary Wasm::FunctionParser is failing to enforce maxFunctionLocals.
Mark Lam
Reported 2019-08-21 18:22:10 PDT
Currently, Wasm::FunctionParser is allowing maxFunctionParams + maxFunctionLocals * maxFunctionLocals ... locals, which is 0x9502FCE8. It should be enforcing max locals of maxFunctionLocals instead. <rdar://problem/54579911>
Attachments
proposed patch. (4.61 KB, patch)
2019-08-21 18:24 PDT, Mark Lam 		no flags
DetailsFormatted DiffDiff
proposed patch. (4.66 KB, patch)
2019-08-21 18:27 PDT, Mark Lam 		ysuzuki: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2019-08-21 18:24:49 PDT
Created attachment 376961 [details] proposed patch.
Mark Lam
Comment 2 2019-08-21 18:27:25 PDT
Created attachment 376962 [details] proposed patch.
Yusuke Suzuki
Comment 3 2019-08-21 18:31:01 PDT
Comment on attachment 376962 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=376962&action=review r=me with comment. > Source/JavaScriptCore/wasm/WasmFunctionParser.h:118 > + uint32_t functionSectionsCount; I think this is not a number of function-sections. So maybe, localGroupCount is better. > Source/JavaScriptCore/wasm/WasmFunctionParser.h:121 > + WASM_PARSER_FAIL_IF(!parseVarUInt32(functionSectionsCount), "can't get number of Function sections"); Ditto.
Mark Lam
Comment 4 2019-08-21 18:38:41 PDT
Thanks for the review. (In reply to Yusuke Suzuki from comment #3) > Comment on attachment 376962 [details] > > Source/JavaScriptCore/wasm/WasmFunctionParser.h:118 > > + uint32_t functionSectionsCount; > > I think this is not a number of function-sections. So maybe, localGroupCount > is better. Fixed. > > Source/JavaScriptCore/wasm/WasmFunctionParser.h:121 > > + WASM_PARSER_FAIL_IF(!parseVarUInt32(functionSectionsCount), "can't get number of Function sections"); > > Ditto. Fixed.
Mark Lam
Comment 5 2019-08-21 18:43:06 PDT
Landed in r248989: <http://trac.webkit.org/r248989>.
Note You need to log in before you can comment on or make changes to this bug.