LibWasm: Check source and destination offsets in memory.init

Overflows are no longer possible.
Author: https://github.com/dzfrias Commit: 3b40667413 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/241
2025-06-09 09:34:57 +09:00 · 2024-06-21 16:28:27 -07:00 · 2024-06-21 16:28:27 -07:00 · 3b40667413 · 2024-07-18 03:20:18 +09:00
commit 3b40667413
parent 0d22e0703f
1 changed files with 9 additions and 3 deletions
--- a/Userland/Libraries/LibWasm/AbstractMachine/BytecodeInterpreter.cpp
+++ b/Userland/Libraries/LibWasm/AbstractMachine/BytecodeInterpreter.cpp
@ -840,16 +840,22 @@ void BytecodeInterpreter::interpret(Configuration& configuration, InstructionPoi
        auto& args = instruction.arguments().get<Instruction::MemoryInitArgs>();
        auto& data_address = configuration.frame().module().datas()[args.data_index.value()];
        auto& data = *configuration.store().get(data_address);
        auto memory_address = configuration.frame().module().memories()[args.memory_index.value()];
        auto memory = configuration.store().get(memory_address);
        auto count = *configuration.stack().pop().get<Value>().to<u32>();
        auto source_offset = *configuration.stack().pop().get<Value>().to<u32>();
        auto destination_offset = *configuration.stack().pop().get<Value>().to<u32>();
        Checked<size_t> source_position = source_offset;
        source_position.saturating_add(count);
        Checked<size_t> destination_position = destination_offset;
        destination_position.saturating_add(count);
        TRAP_IF_NOT(source_position <= data.data().size());
        TRAP_IF_NOT(destination_position <= memory->data().size());
        if (count == 0)
            return;
        TRAP_IF_NOT(source_offset + count > 0);
        TRAP_IF_NOT(static_cast<size_t>(source_offset + count) <= data.size());
        Instruction synthetic_store_instruction {
            Instructions::i32_store8,
            Instruction::MemoryArgument { 0, 0, args.memory_index }