Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fuzz test a 32-bit build #10

Open
stoklund opened this issue Aug 31, 2017 · 0 comments
Open

Fuzz test a 32-bit build #10

stoklund opened this issue Aug 31, 2017 · 0 comments
Labels
wasmparser Related to the binary format of WebAssembly (wasmparser)

Comments

@stoklund
Copy link

In the read_function_body() function, the code reading the local variable declarations looks like this:

        for _ in 0..local_count {
            let (count, ty) = self.reader.read_local_decl()?;
            locals_total += count as usize;
            if locals_total > MAX_WASM_FUNCTION_LOCALS {
                return Err(BinaryReaderError {
                               message: "local_count is out of bounds",
                               offset: self.reader.position - 1,
                           });
            }
            locals.push((count, ty));
        }

In a 32-bit build, the addition in locals_total += count as usize could overflow which causes a panic only in debug builds. In release builds it silently wraps.

A fuzz tester running on a 32-bit build would probably catch that.
@alexcrichton alexcrichton transferred this issue from bytecodealliance/wasmparser May 20, 2020
fitzgen added a commit to fitzgen/wasm-tools that referenced this issue Oct 21, 2020
@fitzgen
Merge pull request bytecodealliance#10 from alexcrichton/gen-maybe-in…
ad66e33 
…valid

Allow generation of possibly invalid modules
fitzgen pushed a commit to fitzgen/wasm-tools that referenced this issue Oct 21, 2020
@yurydelendik
Merge pull request bytecodealliance#10 from sunfishcode/no-concat
945db44 
Remove support for concatenated modules.
@alexcrichton alexcrichton added wasmparser Related to the binary format of WebAssembly (wasmparser) and removed binary labels May 16, 2022
dhil added a commit to dhil/wasm-tools that referenced this issue Sep 25, 2023
@dhil
Fix matches relation for ContType. (bytecodealliance#10)
9a01dae 
This patch fixes a bug in the implementation of the `matches` relation
for `ContType`. The implementation uses `type_at` to retrieve the
function types pointed to by the continuation types. These function types are wrapped in a `SubType`, meaning

```rust
let a = type_at(self.0);
let b = type_at(other.0);
a.matches(b, type_at)
```

will execute the `matches` implementation for `SubType` whose
implementation is

```rust
fn matches<'a, F>(&self, other: &Self, type_at: &F) -> bool
where
    F: Fn(u32) -> &'a SubType,
{
    !other.is_final
        && self
            .structural_type
            .matches(&other.structural_type, type_at)
}
```

The test `!other.is_final` is troublesome as it may inadvertently
short-circuit the subtyping check of an otherwise compatible pair of
types.

We subvert this check by projecting the structural types out, i.e.
```rust
let a = type_at(self.0);
let b = type_at(other.0);
a.structural_type.matches(&b.structural_type, type_at)
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wasmparser Related to the binary format of WebAssembly (wasmparser)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alexcrichton @stoklund