christoph/wamr
1
Fork 0
Code Releases Activity

Fix out-of-bounds read in wasm loader (#156)

Browse Source
This commit is contained in:
greenknot
2020-01-17 06:38:21 +01:00
committed by wenyongh
parent aa24fc5e0f
commit 2a4528c749
1 changed files with 9 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
core/iwasm/runtime/vmcore-wasm/wasm_loader.c
View File

@ -55,7 +55,15 @@ read_leb(const uint8 *buf, const uint8 *buf_end,
uint64 byte; uint64 byte;
while (true) { while (true) {
CHECK_BUF(buf, buf_end, 1); /* Check if the byte count exteeds the max byte count allowed */
if (bcnt + 1 > (maxbits + 6) / 7) {
set_error_buf(error_buf, error_buf_size,
"WASM module load failed: "
"integer representation too long");
return false;
}
/* Check buffer */
CHECK_BUF(buf, buf_end, *p_offset + 1);
byte = buf[*p_offset]; byte = buf[*p_offset];
*p_offset += 1; *p_offset += 1;
result |= ((byte & 0x7f) << shift); result |= ((byte & 0x7f) << shift);
@ -66,13 +74,6 @@ read_leb(const uint8 *buf, const uint8 *buf_end,
} }
} }
if (bcnt > (maxbits + 6) / 7) {
set_error_buf(error_buf, error_buf_size,
"WASM module load failed: "
"integer representation too long");
return false;
}
if (!sign && maxbits == 32 && shift >= maxbits) { if (!sign && maxbits == 32 && shift >= maxbits) {
/* The top bits set represent values > 32 bits */ /* The top bits set represent values > 32 bits */
if (((uint8)byte) & 0xf0) if (((uint8)byte) & 0xf0)