commit 8eb634d32e5423ecdac4b75edaeca4199c60bf1e
author tzagallo@apple.com <tzagallo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Thu Dec 05 22:32:55 2019 +0000
committer tzagallo@apple.com <tzagallo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Thu Dec 05 22:32:55 2019 +0000
tree dee6bf4d79dc099181636b8d7cff3a3a72a2b5d0
parent 1cd4f372afd2e15045448131696c8a2f7eea35f5

REGRESSION(r253140): Wasm::FunctionParser needs to bounds check in SetLocal/TeeLocal
https://bugs.webkit.org/show_bug.cgi?id=204909

Reviewed by Keith Miller.

When moving the code from WasmValidate.cpp to WasmFunctionParser.h, I missed that SetLocal and
TeeLocal used to call Wasm::Validate::getLocal, which would perform the bounds check. I just
added back the checks to the parser before accessing the local's type from m_locals.

* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseExpression):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@253171 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 316c107..90b986d 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,5 +1,19 @@
 2019-12-05  Tadeu Zagallo  <tzagallo@apple.com>
 
+        REGRESSION(r253140): Wasm::FunctionParser needs to bounds check in SetLocal/TeeLocal
+        https://bugs.webkit.org/show_bug.cgi?id=204909
+
+        Reviewed by Keith Miller.
+
+        When moving the code from WasmValidate.cpp to WasmFunctionParser.h, I missed that SetLocal and
+        TeeLocal used to call Wasm::Validate::getLocal, which would perform the bounds check. I just
+        added back the checks to the parser before accessing the local's type from m_locals.
+
+        * wasm/WasmFunctionParser.h:
+        (JSC::Wasm::FunctionParser<Context>::parseExpression):
+
+2019-12-05  Tadeu Zagallo  <tzagallo@apple.com>
+
         [WebAssembly] Fix bad assertion in LLIntPlan
         https://bugs.webkit.org/show_bug.cgi?id=204893
 

Source/JavaScriptCore/wasm/WasmFunctionParser.h

diff --git a/Source/JavaScriptCore/wasm/WasmFunctionParser.h b/Source/JavaScriptCore/wasm/WasmFunctionParser.h
index d12c948..feca880 100644
--- a/Source/JavaScriptCore/wasm/WasmFunctionParser.h
+++ b/Source/JavaScriptCore/wasm/WasmFunctionParser.h
@@ -536,6 +536,7 @@
         TypedExpression value;
         WASM_PARSER_FAIL_IF(!parseVarUInt32(index), "can't get index for set_local");
         WASM_TRY_POP_EXPRESSION_STACK_INTO(value, "set_local");
+        WASM_VALIDATOR_FAIL_IF(index >= m_locals.size(), "attempt to set unknown local ", index, " last one is ", m_locals.size());
         WASM_VALIDATOR_FAIL_IF(!isSubtype(value.type(), m_locals[index]), "set_local to type ", value.type(), " expected ", m_locals[index]);
         WASM_TRY_ADD_TO_CONTEXT(setLocal(index, value));
         return { };
@@ -546,6 +547,7 @@
         WASM_PARSER_FAIL_IF(!parseVarUInt32(index), "can't get index for tee_local");
         WASM_PARSER_FAIL_IF(m_expressionStack.isEmpty(), "can't tee_local on empty expression stack");
         TypedExpression value = m_expressionStack.last();
+        WASM_VALIDATOR_FAIL_IF(index >= m_locals.size(), "attempt to tee unknown local ", index, " last one is ", m_locals.size());
         WASM_VALIDATOR_FAIL_IF(!isSubtype(value.type(), m_locals[index]), "set_local to type ", value.type(), " expected ", m_locals[index]);
         WASM_TRY_ADD_TO_CONTEXT(setLocal(index, value));
         return { };