mirror of
https://github.com/LadybirdBrowser/ladybird.git
synced 2024-10-26 14:57:54 +03:00
LibWasm: Properly check table bounds in element instantiation
Offset is now checked using saturating addition to avoid overflow. This prevents a crash in the VM during instantiation.
This commit is contained in:
parent
2fabbae0f6
commit
308592969c
Notes:
sideshowbarker
2024-07-17 18:08:55 +09:00
Author: https://github.com/dzfrias Commit: https://github.com/SerenityOS/serenity/commit/308592969c Pull-request: https://github.com/SerenityOS/serenity/pull/24517
@ -282,16 +282,14 @@ InstantiationResult AbstractMachine::instantiate(Module const& module, Vector<Ex
|
||||
return IterationDecision::Break;
|
||||
}
|
||||
|
||||
auto total_required_size = elem_instance->references().size() + d.value();
|
||||
Checked<size_t> total_size = elem_instance->references().size();
|
||||
total_size.saturating_add(d.value());
|
||||
|
||||
if (table_instance->type().limits().max().value_or(total_required_size) < total_required_size) {
|
||||
instantiation_result = InstantiationError { "Table limit overflow in active element segment" };
|
||||
if (total_size.value() > table_instance->elements().size()) {
|
||||
instantiation_result = InstantiationError { "Table instantiation out of bounds" };
|
||||
return IterationDecision::Break;
|
||||
}
|
||||
|
||||
if (table_instance->elements().size() < total_required_size)
|
||||
table_instance->elements().resize(total_required_size);
|
||||
|
||||
size_t i = 0;
|
||||
for (auto it = elem_instance->references().begin(); it < elem_instance->references().end(); ++i, ++it) {
|
||||
table_instance->elements()[i + d.value()] = *it;
|
||||
|
Loading…
Reference in New Issue
Block a user