Memory flattening: Check for overflow (#6233)

kripken · web-flow · commit 6453fd55a312 · 2024-01-24T12:21:29.000-08:00
Fixes a fuzz testcase for wasm-ctor-eval.

Add the beginnings of a polyfill for stdckdint.h to help that.
diff --git a/src/ir/memory-utils.cpp b/src/ir/memory-utils.cpp
@@ -15,6 +15,7 @@
  */
 
 #include "ir/memory-utils.h"
+#include "support/stdckdint.h"
 #include "wasm.h"
 
 namespace wasm::MemoryUtils {
@@ -94,7 +95,11 @@ bool flatten(Module& wasm) {
   for (auto& segment : dataSegments) {
     auto* offset = segment->offset->dynCast<Const>();
     Index start = offset->value.getInteger();
-    Index end = start + segment->data.size();
+    Index size = segment->data.size();
+    Index end;
+    if (std::ckd_add(&end, start, size)) {
+      return false;
+    }
     if (end > data.size()) {
       data.resize(end);
     }
diff --git a/src/support/stdckdint.h b/src/support/stdckdint.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright 2024 WebAssembly Community Group participants
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef wasm_stdckdint_h
+#define wasm_stdckdint_h
+
+// This is a partial "polyfill" for the C23 file stdckdint.h. It allows us to
+// use that API even in older compilers.
+
+namespace std {
+
+template<typename T> bool ckd_add(T* output, T a, T b) {
+#if __has_builtin(__builtin_add_overflow)
+  return __builtin_add_overflow(a, b, output);
+#else
+  // Atm this polyfill only supports unsigned types.
+  static_assert(std::is_unsigned_v<T>);
+
+  T result = a + b;
+  if (result < a) {
+    return true;
+  }
+  *output = result;
+  return false;
+#endif
+}
+
+} // namespace std
+
+#endif // wasm_stdckdint_h
diff --git a/test/lit/ctor-eval/flatten_overflow.wast b/test/lit/ctor-eval/flatten_overflow.wast
@@ -0,0 +1,16 @@
+;; The data segment here is at an offset too large to fit into the memory due
+;; to an overflow. That will cause us to fail during flatten, so there are no
+;; changes to output here, but we should not error (if we don't check for
+;; overflow, we'd segfault).
+
+;; RUN: wasm-ctor-eval %s --ctors=test --kept-exports=test --quiet -all
+
+(module
+ (memory $0 10 10)
+ (data $0 (i32.const -1) "a")
+
+ (export "test" (func $test))
+
+ (func $test
+ )
+)
