Bug 1363431: wasm: Check for maximum br_table size; r=luke
authorBenjamin Bouvier <benj@benj.me>
Tue, 09 May 2017 18:33:40 +0200
changeset 357544 eb5cc2b22ef08b599e3995b6136d183e4210636c
parent 357543 8b3ae4be3a135640849ff6225f629c8ec97f1650
child 357545 fb67d4a855752424e3a422b14a0fb59c7b739bac
push id31795
push userkwierso@gmail.com
push dateWed, 10 May 2017 22:26:00 +0000
treeherdermozilla-central@3df2494ade45 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersluke
bugs1363431
milestone55.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1363431: wasm: Check for maximum br_table size; r=luke MozReview-Commit-ID: 2Q2pWi5NSn7
js/src/wasm/WasmBinaryIterator.h
--- a/js/src/wasm/WasmBinaryIterator.h
+++ b/js/src/wasm/WasmBinaryIterator.h
@@ -1076,16 +1076,19 @@ OpIter<Policy>::readBrTable(Uint32Vector
                             ExprType* branchValueType, Value* branchValue, Value* index)
 {
     MOZ_ASSERT(Classify(op_) == OpKind::BrTable);
 
     uint32_t tableLength;
     if (!readVarU32(&tableLength))
         return fail("unable to read br_table table length");
 
+    if (tableLength > MaxBrTableElems)
+        return fail("br_table too big");
+
     if (!popWithType(ValType::I32, index))
         return false;
 
     if (!depths->resize(tableLength))
         return false;
 
     *branchValueType = ExprType::Limit;