Bug 1316634 - Use CheckedInt when checking definitions against maximum thresholds; r=luke a=jcristau
authorBenjamin Bouvier <benj@benj.me>
Mon, 21 Nov 2016 14:52:59 +0100
changeset 352556 19f94f079251e8c3ca77ae0a3a03d6e834c1c47d
parent 352555 c538edad135a485319c98da4ff86c1debaa93062
child 352557 16b857fbf1ab78641be7ea6c8f4e2cad163193cc
push id6795
push userjlund@mozilla.com
push dateMon, 23 Jan 2017 14:19:46 +0000
treeherdermozilla-esr52@76101b503191 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersluke, jcristau
bugs1316634
milestone52.0a2
Bug 1316634 - Use CheckedInt when checking definitions against maximum thresholds; r=luke a=jcristau
js/src/wasm/WasmBinaryFormat.cpp
js/src/wasm/WasmCompile.cpp
--- a/js/src/wasm/WasmBinaryFormat.cpp
+++ b/js/src/wasm/WasmBinaryFormat.cpp
@@ -311,18 +311,19 @@ wasm::DecodeFunctionSection(Decoder& d, 
         return false;
     if (sectionStart == Decoder::NotStarted)
         return true;
 
     uint32_t numDefs;
     if (!d.readVarU32(&numDefs))
         return d.fail("expected number of function definitions");
 
-    uint32_t numFuncs = numImportedFunc + numDefs;
-    if (numFuncs > MaxFuncs)
+    CheckedInt<uint32_t> numFuncs = numImportedFunc;
+    numFuncs += numDefs;
+    if (!numFuncs.isValid() || numFuncs.value() > MaxFuncs)
         return d.fail("too many functions");
 
     if (!funcSigIndexes->reserve(numDefs))
         return false;
 
     for (uint32_t i = 0; i < numDefs; i++) {
         uint32_t sigIndex;
         if (!DecodeSignatureIndex(d, sigs, &sigIndex))
--- a/js/src/wasm/WasmCompile.cpp
+++ b/js/src/wasm/WasmCompile.cpp
@@ -13,27 +13,30 @@
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
 #include "wasm/WasmCompile.h"
 
+#include "mozilla/CheckedInt.h"
+
 #include "jsprf.h"
 
 #include "wasm/WasmBinaryFormat.h"
 #include "wasm/WasmBinaryIterator.h"
 #include "wasm/WasmGenerator.h"
 #include "wasm/WasmSignalHandlers.h"
 
 using namespace js;
 using namespace js::jit;
 using namespace js::wasm;
 
+using mozilla::CheckedInt;
 using mozilla::IsNaN;
 
 namespace {
 
 struct ValidatingPolicy : OpIterPolicy
 {
     // Validation is what we're all about here.
     static const bool Validate = true;
@@ -499,24 +502,26 @@ static bool
 DecodeGlobalSection(Decoder& d, ModuleGeneratorData* init)
 {
     uint32_t sectionStart, sectionSize;
     if (!d.startSection(SectionId::Global, &sectionStart, &sectionSize, "global"))
         return false;
     if (sectionStart == Decoder::NotStarted)
         return true;
 
-    uint32_t numGlobals;
-    if (!d.readVarU32(&numGlobals))
+    uint32_t numDefs;
+    if (!d.readVarU32(&numDefs))
         return d.fail("expected number of globals");
 
-    if (numGlobals > MaxGlobals)
+    CheckedInt<uint32_t> numGlobals = init->globals.length();
+    numGlobals += numDefs;
+    if (!numGlobals.isValid() || numGlobals.value() > MaxGlobals)
         return d.fail("too many globals");
 
-    for (uint32_t i = 0; i < numGlobals; i++) {
+    for (uint32_t i = 0; i < numDefs; i++) {
         ValType type;
         bool isMutable;
         if (!DecodeGlobalType(d, &type, &isMutable))
             return false;
 
         InitExpr initializer;
         if (!DecodeInitializerExpression(d, init->globals, type, &initializer))
             return false;