Skip to content

[Strings] Handle overflow in string.encode_wtf16_array #6422

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kripken merged 2 commits into from
Mar 22, 2024
Merged

[Strings] Handle overflow in string.encode_wtf16_array #6422

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3e38328
work
kripken Mar 22, 2024
27752db
avoid warning
kripken Mar 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions src/wasm-interpreter.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@
#include "ir/module-utils.h"
#include "support/bits.h"
#include "support/safe_integer.h"
#include "support/stdckdint.h"
#include "wasm-builder.h"
#include "wasm-traversal.h"
#include "wasm.h"
Expand Down Expand Up @@ -2001,10 +2002,12 @@ class ExpressionRunner : public OverriddenVisitor<SubType, Flow> {
if (!refData || !ptrData) {
trap("null ref");
}
auto startVal = start.getSingleValue().getInteger();
auto startVal = start.getSingleValue().getUnsigned();
auto& refValues = refData->values;
auto& ptrValues = ptrData->values;
if (startVal + refValues.size() > ptrValues.size()) {
size_t end;
if (std::ckd_add<size_t>(&end, startVal, refValues.size()) ||
end > ptrValues.size()) {
trap("oob");
}

Expand Down
38 changes: 38 additions & 0 deletions test/lit/exec/strings.wast
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -245,6 +245,36 @@
)
)

;; CHECK: [fuzz-exec] calling encode-unsigned
;; CHECK-NEXT: [trap oob]
(func $encode-unsigned (export "encode-unsigned")
(drop
(string.encode_wtf16_array
(string.const "ab")
(array.new_default $array16
(i32.const 28)
)
;; This is a huge unsigned offset, so we will trap on oob.
(i32.const -2)
)
)
)

;; CHECK: [fuzz-exec] calling encode-overflow
;; CHECK-NEXT: [trap oob]
(func $encode-overflow (export "encode-overflow")
;; The string's size + the offset lead to an overflow here in the array.
(drop
(string.encode_wtf16_array
(string.const "ab")
(array.new_default $array16
(i32.const 10)
)
(i32.const 9)
)
)
)

;; CHECK: [fuzz-exec] calling slice
;; CHECK-NEXT: [fuzz-exec] note result: slice => string("def")
(func $slice (export "slice") (result (ref string))
Expand Down Expand Up @@ -332,6 +362,12 @@
;; CHECK-NEXT: [LoggingExternalInterface logging 99]
;; CHECK-NEXT: [LoggingExternalInterface logging 0]

;; CHECK: [fuzz-exec] calling encode-unsigned
;; CHECK-NEXT: [trap oob]

;; CHECK: [fuzz-exec] calling encode-overflow
;; CHECK-NEXT: [trap oob]

;; CHECK: [fuzz-exec] calling slice
;; CHECK-NEXT: [fuzz-exec] note result: slice => string("def")

Expand All @@ -349,6 +385,8 @@
;; CHECK-NEXT: [fuzz-exec] comparing compare.9
;; CHECK-NEXT: [fuzz-exec] comparing const
;; CHECK-NEXT: [fuzz-exec] comparing encode
;; CHECK-NEXT: [fuzz-exec] comparing encode-overflow
;; CHECK-NEXT: [fuzz-exec] comparing encode-unsigned
;; CHECK-NEXT: [fuzz-exec] comparing eq.1
;; CHECK-NEXT: [fuzz-exec] comparing eq.2
;; CHECK-NEXT: [fuzz-exec] comparing eq.3
Expand Down