[Strings] Handle overflow in string.encode_wtf16_array (#6422)

kripken · web-flow · commit 2471301a5209 · 2024-03-22T12:27:54.000-07:00
diff --git a/src/wasm-interpreter.h b/src/wasm-interpreter.h
@@ -32,6 +32,7 @@
 #include "ir/module-utils.h"
 #include "support/bits.h"
 #include "support/safe_integer.h"
+#include "support/stdckdint.h"
 #include "wasm-builder.h"
 #include "wasm-traversal.h"
 #include "wasm.h"
@@ -2001,10 +2002,12 @@ class ExpressionRunner : public OverriddenVisitor<SubType, Flow> {
     if (!refData || !ptrData) {
       trap("null ref");
     }
-    auto startVal = start.getSingleValue().getInteger();
+    auto startVal = start.getSingleValue().getUnsigned();
     auto& refValues = refData->values;
     auto& ptrValues = ptrData->values;
-    if (startVal + refValues.size() > ptrValues.size()) {
+    size_t end;
+    if (std::ckd_add<size_t>(&end, startVal, refValues.size()) ||
+        end > ptrValues.size()) {
       trap("oob");
     }
 
diff --git a/test/lit/exec/strings.wast b/test/lit/exec/strings.wast
@@ -245,6 +245,36 @@
     )
   )
 
+  ;; CHECK:      [fuzz-exec] calling encode-unsigned
+  ;; CHECK-NEXT: [trap oob]
+  (func $encode-unsigned (export "encode-unsigned")
+    (drop
+      (string.encode_wtf16_array
+        (string.const "ab")
+        (array.new_default $array16
+          (i32.const 28)
+        )
+        ;; This is a huge unsigned offset, so we will trap on oob.
+        (i32.const -2)
+      )
+    )
+  )
+
+  ;; CHECK:      [fuzz-exec] calling encode-overflow
+  ;; CHECK-NEXT: [trap oob]
+  (func $encode-overflow (export "encode-overflow")
+    ;; The string's size + the offset lead to an overflow here in the array.
+    (drop
+      (string.encode_wtf16_array
+        (string.const "ab")
+        (array.new_default $array16
+          (i32.const 10)
+        )
+        (i32.const 9)
+      )
+    )
+  )
+
   ;; CHECK:      [fuzz-exec] calling slice
   ;; CHECK-NEXT: [fuzz-exec] note result: slice => string("def")
   (func $slice (export "slice") (result (ref string))
@@ -332,6 +362,12 @@
 ;; CHECK-NEXT: [LoggingExternalInterface logging 99]
 ;; CHECK-NEXT: [LoggingExternalInterface logging 0]
 
+;; CHECK:      [fuzz-exec] calling encode-unsigned
+;; CHECK-NEXT: [trap oob]
+
+;; CHECK:      [fuzz-exec] calling encode-overflow
+;; CHECK-NEXT: [trap oob]
+
 ;; CHECK:      [fuzz-exec] calling slice
 ;; CHECK-NEXT: [fuzz-exec] note result: slice => string("def")
 
@@ -349,6 +385,8 @@
 ;; CHECK-NEXT: [fuzz-exec] comparing compare.9
 ;; CHECK-NEXT: [fuzz-exec] comparing const
 ;; CHECK-NEXT: [fuzz-exec] comparing encode
+;; CHECK-NEXT: [fuzz-exec] comparing encode-overflow
+;; CHECK-NEXT: [fuzz-exec] comparing encode-unsigned
 ;; CHECK-NEXT: [fuzz-exec] comparing eq.1
 ;; CHECK-NEXT: [fuzz-exec] comparing eq.2
 ;; CHECK-NEXT: [fuzz-exec] comparing eq.3
