Mercurial > releases > mozilla-beta / changeset / 1511c3039be28f44f404aaa80d81a7dce9da3bb5
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Bug 1363431 - wasm: Check for maximum br_table size. r=luke, a=gchang
authorBenjamin Bouvier <benj@benj.me>
Tue, 09 May 2017 18:33:40 +0200
changeset 393933 1511c3039be28f44f404aaa80d81a7dce9da3bb5
parent 393932 4dc1982e436eb154ba3154f6df29585c41e47d22
child 393934 a64a82ad06cee055737560703f9dbc0124915a2b
push id7307
push userryanvm@gmail.com
push dateFri, 12 May 2017 16:56:21 +0000
treeherdermozilla-beta@1511c3039be2 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersluke, gchang
bugs1363431
milestone54.0
Bug 1363431 - wasm: Check for maximum br_table size. r=luke, a=gchang MozReview-Commit-ID: 2Q2pWi5NSn7
js/src/wasm/WasmBinaryIterator.h file | annotate | diff | comparison | revisions 
--- a/js/src/wasm/WasmBinaryIterator.h
+++ b/js/src/wasm/WasmBinaryIterator.h
@@ -1180,16 +1180,19 @@ OpIter<Policy>::readBrTable(Uint32Vector
                             ExprType* branchValueType, Value* branchValue, Value* index)
 {
     MOZ_ASSERT(Classify(op_) == OpKind::BrTable);
 
     uint32_t tableLength;
     if (!readVarU32(&tableLength))
         return fail("unable to read br_table table length");
 
+    if (tableLength > MaxBrTableElems)
+        return fail("br_table too big");
+
     if (!popWithType(ValType::I32, index))
         return false;
 
     Uint32Vector depths;
     if (!depths.resize(tableLength))
         return false;
 
     ExprType type = ExprType::Limit;
mozilla-beta
Deployed from e404c980045c at 2021-03-01T18:43:47Z.