Extr can overflow when imm=64, allowing a random register to be read

rdar://118515062

Reviewed by Yusuke Suzuki.

Extr can overflow when imm=64, allowing a random register to be read.

* Source/JavaScriptCore/b3/B3LowerToAir.cpp:
* Source/JavaScriptCore/b3/air/AirValidate.cpp:

Originally-landed-as: 267815.574@safari-7617-branch (49ba637). rdar://119327080
Canonical link: https://commits.webkit.org/271694@main

Source/JavaScriptCore/b3/B3LowerToAir.cpp

@@ -3379,7 +3379,7 @@ class LowerToAir {
                 uint64_t highWidth = highWidthValue->asInt();
                 uint64_t lowWidth = lowWidthValue->asInt();
                 uint64_t datasize = opcode == ExtractRegister32 ? 32 : 64;
-                if (lowWidth + highWidth != datasize || maskBitCount != lowWidth)
+                if (lowWidth + highWidth != datasize || maskBitCount != lowWidth || lowWidth == datasize)
                     return false;
 
                 append(opcode, tmp(nValue), tmp(mValue), imm(lowWidthValue), tmp(m_value));

Source/JavaScriptCore/b3/air/AirValidate.cpp

@@ -116,6 +116,14 @@ class Validater {
                     VALIDATE(elementByteSize(inst.args[0].simdInfo().lane) <= 8, ("At ", inst, " in ", *block));
                     VALIDATE(elementByteSize(inst.args[0].simdInfo().lane) >= 2, ("At ", inst, " in ", *block));
                     break;
+                case ExtractRegister64:
+                    VALIDATE(inst.args[2].isImm(), ("At ", inst, " in ", *block));
+                    VALIDATE(inst.args[2].asTrustedImm32().m_value < 64, ("At ", inst, " in ", *block));
+                    break;
+                case ExtractRegister32:
+                    VALIDATE(inst.args[2].isImm(), ("At ", inst, " in ", *block));
+                    VALIDATE(inst.args[2].asTrustedImm32().m_value < 32, ("At ", inst, " in ", *block));
+                    break;
                 default:
                     break;
                 }