Merge #698

698: Fix issue with emscripten memory out of range r=bjfish a=bjfish Fixes #678 Co-authored-by: Brandon Fish <brandon.j.fish@gmail.com>
2024-12-14 14:45:40 +00:00 · 2019-08-19 15:15:12 +00:00 · 2019-08-19 15:15:12 +00:00 · b1255179e0
commit b1255179e0
parent 09e843090f 1886760eba
2 changed files with 38 additions and 15 deletions
--- a/lib/emscripten/src/lib.rs
+++ b/lib/emscripten/src/lib.rs
@ -405,11 +405,18 @@ fn store_module_arguments(ctx: &mut Ctx, args: Vec<&str>) -> (u32, u32) {
    (argc as u32 - 1, argv_offset)
 }

-pub fn emscripten_set_up_memory(memory: &Memory, globals: &EmscriptenGlobalsData) {
+pub fn emscripten_set_up_memory(
+    memory: &Memory,
+    globals: &EmscriptenGlobalsData,
+) -> Result<(), String> {
    let dynamictop_ptr = globals.dynamictop_ptr;
    let dynamic_base = globals.dynamic_base;

+    if (dynamictop_ptr / 4) as usize >= memory.view::<u32>().len() {
+        return Err("dynamictop_ptr beyond memory len".to_string());
+    }
    memory.view::<u32>()[(dynamictop_ptr / 4) as usize].set(dynamic_base);
+    Ok(())
 }

 pub struct EmscriptenGlobalsData {
@ -489,7 +496,7 @@ impl EmscriptenGlobals {
            static_top += 16;

            let (dynamic_base, dynamictop_ptr) =
-                get_emscripten_metadata(&module).unwrap_or_else(|| {
+                get_emscripten_metadata(&module)?.unwrap_or_else(|| {
                    let dynamictop_ptr = static_alloc(&mut static_top, 4);
                    (
                        align_memory(align_memory(static_top) + TOTAL_STACK),
@ -513,7 +520,7 @@ impl EmscriptenGlobals {
            }
        };

-        emscripten_set_up_memory(&memory, &data);
+        emscripten_set_up_memory(&memory, &data)?;

        let mut null_func_names = vec![];
        for (
--- a/lib/emscripten/src/utils.rs
+++ b/lib/emscripten/src/utils.rs
@ -53,15 +53,23 @@ pub fn get_emscripten_memory_size(module: &Module) -> Result<(Pages, Option<Page
 /// Assumes values start from the end in this order:
 /// Last export: Dynamic Base
 /// Second-to-Last export: Dynamic top pointer
-pub fn get_emscripten_metadata(module: &Module) -> Option<(u32, u32)> {
-    let max_idx = &module.info().globals.iter().map(|(k, _)| k).max()?;
-    let snd_max_idx = &module
+pub fn get_emscripten_metadata(module: &Module) -> Result<Option<(u32, u32)>, String> {
+    let max_idx = match module.info().globals.iter().map(|(k, _)| k).max() {
+        Some(x) => x,
+        None => return Ok(None),
+    };
+
+    let snd_max_idx = match module
        .info()
        .globals
        .iter()
        .map(|(k, _)| k)
-        .filter(|k| k != max_idx)
-        .max()?;
+        .filter(|k| *k != max_idx)
+        .max()
+    {
+        Some(x) => x,
+        None => return Ok(None),
+    };

    use wasmer_runtime_core::types::{GlobalInit, Initializer::Const, Value::I32};
    if let (
@ -74,15 +82,23 @@ pub fn get_emscripten_metadata(module: &Module) -> Option<(u32, u32)> {
            ..
        },
    ) = (
-        &module.info().globals[*max_idx],
-        &module.info().globals[*snd_max_idx],
+        &module.info().globals[max_idx],
+        &module.info().globals[snd_max_idx],
    ) {
-        Some((
-            align_memory(*dynamic_base as u32 - 32),
-            align_memory(*dynamictop_ptr as u32 - 32),
-        ))
+        let dynamic_base = (*dynamic_base as u32).checked_sub(32).ok_or(format!(
+            "emscripten unexpected dynamic_base {}",
+            *dynamic_base as u32
+        ))?;
+        let dynamictop_ptr = (*dynamictop_ptr as u32).checked_sub(32).ok_or(format!(
+            "emscripten unexpected dynamictop_ptr {}",
+            *dynamictop_ptr as u32
+        ))?;
+        Ok(Some((
+            align_memory(dynamic_base),
+            align_memory(dynamictop_ptr),
+        )))
    } else {
-        None
+        Ok(None)
    }
 }