LadybirdBrowser/ladybird
1
1
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2024-08-17 01:10:28 +03:00
Code Issues Packages Projects Releases Wiki Activity

LibWasm: Properly check memory.copy addresses

Browse Source 
Prevents overflow when checking that `memory.copy` addresses are valid.
This prevents a potential crash in the VM.
This commit is contained in:
Diego 2024-06-01 15:41:16 -07:00 committed by Ali Mohammad Pur
parent 308592969c
commit ad9457b725
Notes: sideshowbarker 2024-07-17 06:38:11 +09:00 
Author: https://github.com/dzfrias
Commit: https://github.com/SerenityOS/serenity/commit/ad9457b725
Pull-request: https://github.com/SerenityOS/serenity/pull/24519
Reviewed-by: https://github.com/alimpfard
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Userland/Libraries/LibWasm/AbstractMachine/BytecodeInterpreter.cpp
View File

@ -802,8 +802,12 @@ void BytecodeInterpreter::interpret(Configuration& configuration, InstructionPoi
auto source_offset = configuration.stack().pop().get<Value>().to<i32>().value();
auto destination_offset = configuration.stack().pop().get<Value>().to<i32>().value();
TRAP_IF_NOT(static_cast<size_t>(source_offset + count) <= source_instance->data().size());
TRAP_IF_NOT(static_cast<size_t>(destination_offset + count) <= destination_instance->data().size());
Checked<size_t> source_position = source_offset;
source_position.saturating_add(count);
Checked<size_t> destination_position = destination_offset;
destination_position.saturating_add(count);
TRAP_IF_NOT(source_position <= source_instance->data().size());
TRAP_IF_NOT(destination_position <= destination_instance->data().size());
if (count == 0)
return;