Skip to content

StringNew: Trap on OOB start index #6438

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kripken merged 4 commits into from
Mar 25, 2024
Merged

StringNew: Trap on OOB start index #6438

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a08d8aa
fix
kripken Mar 25, 2024
2965ffc
test
kripken Mar 25, 2024
caffc91
oops
kripken Mar 25, 2024
1d3b1f7
fix
kripken Mar 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/wasm-interpreter.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1883,7 +1883,7 @@ class ExpressionRunner : public OverriddenVisitor<SubType, Flow> {
const auto& ptrDataValues = ptrData->values;
size_t startVal = start.getSingleValue().getUnsigned();
size_t endVal = end.getSingleValue().getUnsigned();
if (endVal > ptrDataValues.size()) {
if (startVal > ptrDataValues.size() || endVal > ptrDataValues.size()) {
trap("array oob");
}
Literals contents;
Expand Down
53 changes: 53 additions & 0 deletions test/lit/exec/strings.wast
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -296,6 +296,47 @@
(i32.const -1)
)
)

;; CHECK: [fuzz-exec] calling new_empty
;; CHECK-NEXT: [fuzz-exec] note result: new_empty => string("")
(func $new_empty (export "new_empty") (result stringref)
;; Make an empty string from an empty array.
(string.new_wtf16_array
(array.new_default $array16
(i32.const 0)
)
(i32.const 0)
(i32.const 0)
)
)

;; CHECK: [fuzz-exec] calling new_empty_oob
;; CHECK-NEXT: [trap array oob]
(func $new_empty_oob (export "new_empty_oob") (result stringref)
;; Try to make a string from an empty array that we slice at [1:0], which is
;; out of bounds due to the starting index.
(string.new_wtf16_array
(array.new_default $array16
(i32.const 0)
)
(i32.const 1)
(i32.const 0)
)
)

;; CHECK: [fuzz-exec] calling new_empty_oob_2
;; CHECK-NEXT: [trap array oob]
(func $new_empty_oob_2 (export "new_empty_oob_2") (result stringref)
;; Try to make a string from an empty array that we slice at [:1], which is
;; out of bounds due to the ending index.
(string.new_wtf16_array
(array.new_default $array16
(i32.const 0)
)
(i32.const 0)
(i32.const 1)
)
)
)
;; CHECK: [fuzz-exec] calling new_wtf16_array
;; CHECK-NEXT: [fuzz-exec] note result: new_wtf16_array => string("ello")
Expand Down Expand Up @@ -373,6 +414,15 @@

;; CHECK: [fuzz-exec] calling slice-big
;; CHECK-NEXT: [fuzz-exec] note result: slice-big => string("defgh")

;; CHECK: [fuzz-exec] calling new_empty
;; CHECK-NEXT: [fuzz-exec] note result: new_empty => string("")

;; CHECK: [fuzz-exec] calling new_empty_oob
;; CHECK-NEXT: [trap array oob]

;; CHECK: [fuzz-exec] calling new_empty_oob_2
;; CHECK-NEXT: [trap array oob]
;; CHECK-NEXT: [fuzz-exec] comparing compare.1
;; CHECK-NEXT: [fuzz-exec] comparing compare.10
;; CHECK-NEXT: [fuzz-exec] comparing compare.2
Expand All @@ -394,6 +444,9 @@
;; CHECK-NEXT: [fuzz-exec] comparing eq.5
;; CHECK-NEXT: [fuzz-exec] comparing get_codeunit
;; CHECK-NEXT: [fuzz-exec] comparing get_length
;; CHECK-NEXT: [fuzz-exec] comparing new_empty
;; CHECK-NEXT: [fuzz-exec] comparing new_empty_oob
;; CHECK-NEXT: [fuzz-exec] comparing new_empty_oob_2
;; CHECK-NEXT: [fuzz-exec] comparing new_wtf16_array
;; CHECK-NEXT: [fuzz-exec] comparing slice
;; CHECK-NEXT: [fuzz-exec] comparing slice-big