<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW - Parse the entire WebAssembly modules"
href="https://bugs.webkit.org/show_bug.cgi?id=147393#c9">Comment # 9</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW - Parse the entire WebAssembly modules"
href="https://bugs.webkit.org/show_bug.cgi?id=147393">bug 147393</a>
from <span class="vcard"><a class="email" href="mailto:sukolsak@gmail.com" title="Sukolsak Sakshuwong <sukolsak@gmail.com>"> <span class="fn">Sukolsak Sakshuwong</span></a>
</span></b>
<pre>Thanks.
(In reply to <a href="show_bug.cgi?id=147393#c8">comment #8</a>)
<span class="quote">> Comment on <span class=""><a href="attachment.cgi?id=257910&action=diff" name="attach_257910" title="Patch">attachment 257910</a> <a href="attachment.cgi?id=257910&action=edit" title="Patch">[details]</a></span>
> Patch
>
> View in context:
> <a href="https://bugs.webkit.org/attachment.cgi?id=257910&action=review">https://bugs.webkit.org/attachment.cgi?id=257910&action=review</a>
>
> > Source/JavaScriptCore/wasm/WASMReader.cpp:83
> > + CHECK_READ(1);
>
> Why not do everything in the loop?</span >
It's just an optimization for small integers. If this seems like a micro-optimization, let me know and I will fix it.
<span class="quote">> > Source/JavaScriptCore/wasm/WASMReader.cpp:89
> > + while (true) {
>
> What's stopping this from reading more than 4 bytes?
>
> > Source/JavaScriptCore/wasm/WASMReader.cpp:96
> > + result |= (byte & 0x7f) << shift;
>
> Or maybe the limit is we can read at most 5 bytes?
> Can compact int values be larger than 2^28?</span >
My first thought was that users couldn't do anything malicious with this anyway, because we always used CHECK_READ(), and unsigned integer overflow is well-defined. But I can see why this can be a problem. So, should we limit the number of bytes?
Compact (LEB128) uint32 values can be up to 2^32 - 1. So, the limit should be 5 bytes. If we check the number of bytes, should we check as well that the fifth byte is less than 2^(32-28) = 2^4 to prevent an integer overflow?</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>