[Backport] Merged: Reland "[wasm] Gracefully handle malformed custom sections in WebAssembly.Module.customSections()."

NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true BUG=chromium:789952 This is a reland of 163c1c82622f09f64fe7c3a1c93f81b566200493 Original change's description: > [wasm] Gracefully handle malformed custom sections in WebAssembly.Module.customSections(). > > R=clemensh@chromium.org > BUG=chromium:789952 > > Change-Id: Ida627fa6cdeacff01a0ec4d20e58281f17528010 > Reviewed-on: https://chromium-review.googlesource.com/800941 > Reviewed-by: Clemens Hammacher <clemensh@chromium.org> > Commit-Queue: Ben Titzer <titzer@chromium.org> > Cr-Commit-Position: refs/heads/master@{#49767} Bug: chromium:789952 Reviewed-on: https://chromium-review.googlesource.com/803575 Commit-Queue: Ben L. Titzer <titzer@google.com> Commit-Queue: Ben Titzer <titzer@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#49796}(cherry picked from commit b6ca58e57ec6b1d66c68d9f61eab87c3ca5f6c6c) Reviewed-on: https://chromium-review.googlesource.com/808225 Cr-Commit-Position: refs/branch-heads/6.4@{#5} Cr-Branched-From: 0407506af3d9d7e2718be1d8759296165b218fcf-refs/heads/6.4.388@{#1} Cr-Branched-From: a5fc4e085ee543cb608eb11034bc8f147ba388e1-refs/heads/master@{#49724} (CVE-2018-6036) Change-Id: If66cdf7ef532543acc147743d0ce3a5ac0549120 Reviewed-by: Michael Brüning <michael.bruning@qt.io>
author: Allan Sandfeld Jensen <allan.jensen@qt.io> 2018-01-29 10:28:49 +0100
committer: Allan Sandfeld Jensen <allan.jensen@qt.io> 2018-01-29 13:25:28 +0000
commit: cf3a94e300853fc3620d1ac73922232da14e5919 (patch)
tree: b79c95e8b752e34306aa5724a6268232bad37fa4
parent: 543692ef8d0e17adecc36b07f36164f9bc93e85c (diff)
download: qtwebengine-chromium-cf3a94e300853fc3620d1ac73922232da14e5919.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/chromium/v8/src/wasm/module-decoder.cc b/chromium/v8/src/wasm/module-decoder.cc
index 94dc710b1b2..81a2c22db6d 100644
--- a/chromium/v8/src/wasm/module-decoder.cc
+++ b/chromium/v8/src/wasm/module-decoder.cc
@@ -1432,8 +1432,13 @@ std::vector<CustomSectionOffset> DecodeCustomSections(const byte* start,
     uint32_t name_offset = decoder.pc_offset();
     decoder.consume_bytes(name_length, "section name");
     uint32_t payload_offset = decoder.pc_offset();
+    if (section_length < (payload_offset - section_start)) {
+      decoder.error("invalid section length");
+      break;
+    }
     uint32_t payload_length = section_length - (payload_offset - section_start);
     decoder.consume_bytes(payload_length);
+    if (decoder.failed()) break;
     result.push_back({{section_start, section_length},
                       {name_offset, name_length},
                       {payload_offset, payload_length}});
author	Allan Sandfeld Jensen <allan.jensen@qt.io>	2018-01-29 10:28:49 +0100
committer	Allan Sandfeld Jensen <allan.jensen@qt.io>	2018-01-29 13:25:28 +0000
commit	cf3a94e300853fc3620d1ac73922232da14e5919 (patch)
tree	b79c95e8b752e34306aa5724a6268232bad37fa4
parent	543692ef8d0e17adecc36b07f36164f9bc93e85c (diff)
download	qtwebengine-chromium-cf3a94e300853fc3620d1ac73922232da14e5919.tar.gz