You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the read_function_body() function, the code reading the local variable declarations looks like this:
for _ in0..local_count {let(count, ty) = self.reader.read_local_decl()?;
locals_total += count asusize;if locals_total > MAX_WASM_FUNCTION_LOCALS{returnErr(BinaryReaderError{message:"local_count is out of bounds",offset:self.reader.position - 1,});}
locals.push((count, ty));}
In a 32-bit build, the addition in locals_total += count as usize could overflow which causes a panic only in debug builds. In release builds it silently wraps.
A fuzz tester running on a 32-bit build would probably catch that.
The text was updated successfully, but these errors were encountered:
This patch fixes a bug in the implementation of the `matches` relation
for `ContType`. The implementation uses `type_at` to retrieve the
function types pointed to by the continuation types. These function types are wrapped in a `SubType`, meaning
```rust
let a = type_at(self.0);
let b = type_at(other.0);
a.matches(b, type_at)
```
will execute the `matches` implementation for `SubType` whose
implementation is
```rust
fn matches<'a, F>(&self, other: &Self, type_at: &F) -> bool
where
F: Fn(u32) -> &'a SubType,
{
!other.is_final
&& self
.structural_type
.matches(&other.structural_type, type_at)
}
```
The test `!other.is_final` is troublesome as it may inadvertently
short-circuit the subtyping check of an otherwise compatible pair of
types.
We subvert this check by projecting the structural types out, i.e.
```rust
let a = type_at(self.0);
let b = type_at(other.0);
a.structural_type.matches(&b.structural_type, type_at)
```
In the
read_function_body()
function, the code reading the local variable declarations looks like this:In a 32-bit build, the addition in
locals_total += count as usize
could overflow which causes a panic only in debug builds. In release builds it silently wraps.A fuzz tester running on a 32-bit build would probably catch that.
The text was updated successfully, but these errors were encountered: