Fix some check issues on table operations (#2392)
Fix some check issues on table.init, table.fill and table.copy, and unify the check method for all running modes. Fix issue #2390 and #2096.
This commit is contained in:
Wenyong Huang
@ -627,7 +627,6 @@ typedef struct WASMBranchBlock {
|
||||
uint32 cell_num;
|
||||
} WASMBranchBlock;
|
||||
|
||||
/* Execution environment, e.g. stack info */
|
||||
/**
|
||||
* Align an unsigned value on a alignment boundary.
|
||||
*
|
||||
@ -643,6 +642,24 @@ align_uint(unsigned v, unsigned b)
|
||||
return (v + m) & ~m;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check whether a piece of data is out of range
|
||||
*
|
||||
* @param offset the offset that the data starts
|
||||
* @param len the length of the data
|
||||
* @param max_size the maximum size of the data range
|
||||
*
|
||||
* @return true if out of range, false otherwise
|
||||
*/
|
||||
inline static bool
|
||||
offset_len_out_of_bounds(uint32 offset, uint32 len, uint32 max_size)
|
||||
{
|
||||
if (offset + len < offset /* integer overflow */
|
||||
|| offset + len > max_size)
|
||||
return true;
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Return the hash value of c string.
|
||||
*/
|
||||
|
||||
@ -3247,7 +3247,7 @@ wasm_interp_call_func_bytecode(WASMModuleInstance *module,
|
||||
case WASM_OP_TABLE_INIT:
|
||||
{
|
||||
uint32 tbl_idx, elem_idx;
|
||||
uint64 n, s, d;
|
||||
uint32 n, s, d;
|
||||
WASMTableInstance *tbl_inst;
|
||||
|
||||
read_leb_uint32(frame_ip, frame_ip_end, elem_idx);
|
||||
@ -3262,20 +3262,21 @@ wasm_interp_call_func_bytecode(WASMModuleInstance *module,
|
||||
s = (uint32)POP_I32();
|
||||
d = (uint32)POP_I32();
|
||||
|
||||
/* TODO: what if the element is not passive? */
|
||||
|
||||
if (!n) {
|
||||
break;
|
||||
}
|
||||
|
||||
if (n + s > module->module->table_segments[elem_idx]
|
||||
.function_count
|
||||
|| d + n > tbl_inst->cur_size) {
|
||||
if (offset_len_out_of_bounds(
|
||||
s, n,
|
||||
module->module->table_segments[elem_idx]
|
||||
.function_count)
|
||||
|| offset_len_out_of_bounds(d, n,
|
||||
tbl_inst->cur_size)) {
|
||||
wasm_set_exception(module,
|
||||
"out of bounds table access");
|
||||
goto got_exception;
|
||||
}
|
||||
|
||||
if (!n) {
|
||||
break;
|
||||
}
|
||||
|
||||
if (module->module->table_segments[elem_idx]
|
||||
.is_dropped) {
|
||||
wasm_set_exception(module,
|
||||
@ -3316,7 +3317,7 @@ wasm_interp_call_func_bytecode(WASMModuleInstance *module,
|
||||
case WASM_OP_TABLE_COPY:
|
||||
{
|
||||
uint32 src_tbl_idx, dst_tbl_idx;
|
||||
uint64 n, s, d;
|
||||
uint32 n, s, d;
|
||||
WASMTableInstance *src_tbl_inst, *dst_tbl_inst;
|
||||
|
||||
read_leb_uint32(frame_ip, frame_ip_end, dst_tbl_idx);
|
||||
@ -3333,8 +3334,10 @@ wasm_interp_call_func_bytecode(WASMModuleInstance *module,
|
||||
s = (uint32)POP_I32();
|
||||
d = (uint32)POP_I32();
|
||||
|
||||
if (d + n > dst_tbl_inst->cur_size
|
||||
|| s + n > src_tbl_inst->cur_size) {
|
||||
if (offset_len_out_of_bounds(d, n,
|
||||
dst_tbl_inst->cur_size)
|
||||
|| offset_len_out_of_bounds(
|
||||
s, n, src_tbl_inst->cur_size)) {
|
||||
wasm_set_exception(module,
|
||||
"out of bounds table access");
|
||||
goto got_exception;
|
||||
@ -3404,11 +3407,8 @@ wasm_interp_call_func_bytecode(WASMModuleInstance *module,
|
||||
fill_val = POP_I32();
|
||||
i = POP_I32();
|
||||
|
||||
/* TODO: what if the element is not passive? */
|
||||
/* TODO: what if the element is dropped? */
|
||||
|
||||
if (i + n > tbl_inst->cur_size) {
|
||||
/* TODO: verify warning content */
|
||||
if (offset_len_out_of_bounds(i, n,
|
||||
tbl_inst->cur_size)) {
|
||||
wasm_set_exception(module,
|
||||
"out of bounds table access");
|
||||
goto got_exception;
|
||||
|
||||
@ -3078,7 +3078,7 @@ wasm_interp_call_func_bytecode(WASMModuleInstance *module,
|
||||
case WASM_OP_TABLE_INIT:
|
||||
{
|
||||
uint32 tbl_idx, elem_idx;
|
||||
uint64 n, s, d;
|
||||
uint32 n, s, d;
|
||||
WASMTableInstance *tbl_inst;
|
||||
|
||||
elem_idx = read_uint32(frame_ip);
|
||||
@ -3093,18 +3093,21 @@ wasm_interp_call_func_bytecode(WASMModuleInstance *module,
|
||||
s = (uint32)POP_I32();
|
||||
d = (uint32)POP_I32();
|
||||
|
||||
if (!n) {
|
||||
break;
|
||||
}
|
||||
|
||||
if (n + s > module->module->table_segments[elem_idx]
|
||||
.function_count
|
||||
|| d + n > tbl_inst->cur_size) {
|
||||
if (offset_len_out_of_bounds(
|
||||
s, n,
|
||||
module->module->table_segments[elem_idx]
|
||||
.function_count)
|
||||
|| offset_len_out_of_bounds(d, n,
|
||||
tbl_inst->cur_size)) {
|
||||
wasm_set_exception(module,
|
||||
"out of bounds table access");
|
||||
goto got_exception;
|
||||
}
|
||||
|
||||
if (!n) {
|
||||
break;
|
||||
}
|
||||
|
||||
if (module->module->table_segments[elem_idx]
|
||||
.is_dropped) {
|
||||
wasm_set_exception(module,
|
||||
@ -3143,7 +3146,7 @@ wasm_interp_call_func_bytecode(WASMModuleInstance *module,
|
||||
case WASM_OP_TABLE_COPY:
|
||||
{
|
||||
uint32 src_tbl_idx, dst_tbl_idx;
|
||||
uint64 n, s, d;
|
||||
uint32 n, s, d;
|
||||
WASMTableInstance *src_tbl_inst, *dst_tbl_inst;
|
||||
|
||||
dst_tbl_idx = read_uint32(frame_ip);
|
||||
@ -3160,8 +3163,10 @@ wasm_interp_call_func_bytecode(WASMModuleInstance *module,
|
||||
s = (uint32)POP_I32();
|
||||
d = (uint32)POP_I32();
|
||||
|
||||
if (d + n > dst_tbl_inst->cur_size
|
||||
|| s + n > src_tbl_inst->cur_size) {
|
||||
if (offset_len_out_of_bounds(d, n,
|
||||
dst_tbl_inst->cur_size)
|
||||
|| offset_len_out_of_bounds(
|
||||
s, n, src_tbl_inst->cur_size)) {
|
||||
wasm_set_exception(module,
|
||||
"out of bounds table access");
|
||||
goto got_exception;
|
||||
@ -3232,7 +3237,8 @@ wasm_interp_call_func_bytecode(WASMModuleInstance *module,
|
||||
fill_val = POP_I32();
|
||||
i = POP_I32();
|
||||
|
||||
if (i + n > tbl_inst->cur_size) {
|
||||
if (offset_len_out_of_bounds(i, n,
|
||||
tbl_inst->cur_size)) {
|
||||
wasm_set_exception(module,
|
||||
"out of bounds table access");
|
||||
goto got_exception;
|
||||
|
||||
@ -3301,13 +3301,13 @@ llvm_jit_table_init(WASMModuleInstance *module_inst, uint32 tbl_idx,
|
||||
bh_assert(tbl_inst);
|
||||
bh_assert(tbl_seg);
|
||||
|
||||
if (!length) {
|
||||
if (offset_len_out_of_bounds(src_offset, length, tbl_seg->function_count)
|
||||
|| offset_len_out_of_bounds(dst_offset, length, tbl_inst->cur_size)) {
|
||||
jit_set_exception_with_id(module_inst, EXCE_OUT_OF_BOUNDS_TABLE_ACCESS);
|
||||
return;
|
||||
}
|
||||
|
||||
if (length + src_offset > tbl_seg->function_count
|
||||
|| dst_offset + length > tbl_inst->cur_size) {
|
||||
jit_set_exception_with_id(module_inst, EXCE_OUT_OF_BOUNDS_TABLE_ACCESS);
|
||||
if (!length) {
|
||||
return;
|
||||
}
|
||||
|
||||
@ -3349,8 +3349,9 @@ llvm_jit_table_copy(WASMModuleInstance *module_inst, uint32 src_tbl_idx,
|
||||
bh_assert(src_tbl_inst);
|
||||
bh_assert(dst_tbl_inst);
|
||||
|
||||
if ((uint64)dst_offset + length > dst_tbl_inst->cur_size
|
||||
|| (uint64)src_offset + length > src_tbl_inst->cur_size) {
|
||||
if (offset_len_out_of_bounds(dst_offset, length, dst_tbl_inst->cur_size)
|
||||
|| offset_len_out_of_bounds(src_offset, length,
|
||||
src_tbl_inst->cur_size)) {
|
||||
jit_set_exception_with_id(module_inst, EXCE_OUT_OF_BOUNDS_TABLE_ACCESS);
|
||||
return;
|
||||
}
|
||||
@ -3382,7 +3383,7 @@ llvm_jit_table_fill(WASMModuleInstance *module_inst, uint32 tbl_idx,
|
||||
tbl_inst = wasm_get_table_inst(module_inst, tbl_idx);
|
||||
bh_assert(tbl_inst);
|
||||
|
||||
if (data_offset + length > tbl_inst->cur_size) {
|
||||
if (offset_len_out_of_bounds(data_offset, length, tbl_inst->cur_size)) {
|
||||
jit_set_exception_with_id(module_inst, EXCE_OUT_OF_BOUNDS_TABLE_ACCESS);
|
||||
return;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user