From b64d6bb3a3e45ca3aeb56b79f200092246f5e335 Mon Sep 17 00:00:00 2001 From: Ali Mohammad Pur Date: Mon, 30 Aug 2021 23:37:29 +0430 Subject: LibWasm: Limit the number of function locals It's possible for the module to request too many locals, we now reject such modules instead of trying to allocate space for them. The value itself is chosen arbitrarily, so future tweaks _might_ be necessary. Found by OSS-Fuzz: https://oss-fuzz.com/testcase?key=4755809098661888 --- Userland/Libraries/LibWasm/Constants.h | 1 + Userland/Libraries/LibWasm/Parser/Parser.cpp | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) (limited to 'Userland/Libraries/LibWasm') diff --git a/Userland/Libraries/LibWasm/Constants.h b/Userland/Libraries/LibWasm/Constants.h index 459a4a95a9..de2e8481eb 100644 --- a/Userland/Libraries/LibWasm/Constants.h +++ b/Userland/Libraries/LibWasm/Constants.h @@ -40,5 +40,6 @@ static constexpr auto page_size = 64 * KiB; // These are not concretely defined by the spec, so the values are only defined by us. static constexpr auto minimum_stack_space_to_keep_free = 256 * KiB; // Note: Value is arbitrary and chosen by testing with ASAN static constexpr auto max_allowed_executed_instructions_per_call = 256 * 1024 * 1024; +static constexpr auto max_allowed_function_locals_per_type = 420; // Note: VERY arbitrary. } diff --git a/Userland/Libraries/LibWasm/Parser/Parser.cpp b/Userland/Libraries/LibWasm/Parser/Parser.cpp index 0560c9e1d5..53c95522da 100644 --- a/Userland/Libraries/LibWasm/Parser/Parser.cpp +++ b/Userland/Libraries/LibWasm/Parser/Parser.cpp @@ -1091,7 +1091,10 @@ ParseResult Locals::parse(InputStream& stream) size_t count; if (!LEB128::read_unsigned(stream, count)) return with_eof_check(stream, ParseError::InvalidSize); - // TODO: Disallow too many entries. + + if (count > Constants::max_allowed_function_locals_per_type) + return with_eof_check(stream, ParseError::HugeAllocationRequested); + auto type = ValueType::parse(stream); if (type.is_error()) return type.error(); -- cgit v1.2.3