From c1c55607e106288a1822587a05c283c77528f152 Mon Sep 17 00:00:00 2001
From: Nick Fitzgerald <fitzgen@gmail.com>
Date: Sat, 21 Dec 2019 13:37:42 -0800
Subject: [PATCH] cranelift-wasm: Check for `u32::MAX` function indices (#1307)

As an implementation-specific limit, we do not allow the full index space of
`0..=2^32 - 1` because we reserve index `2^32 - 1` for ourselves in
`cranelift-entity`.

Fixes #1306
---
 cranelift/wasm/src/sections_translator.rs        |  15 +++++++++++++--
 ...name-section-with-u32-max-function-index.wasm | Bin 0 -> 381 bytes
 2 files changed, 13 insertions(+), 2 deletions(-)
 create mode 100644 cranelift/wasmtests/issue-1306-name-section-with-u32-max-function-index.wasm

diff --git a/cranelift/wasm/src/sections_translator.rs b/cranelift/wasm/src/sections_translator.rs
index 03444a547f..503ae7226e 100644
--- a/cranelift/wasm/src/sections_translator.rs
+++ b/cranelift/wasm/src/sections_translator.rs
@@ -7,7 +7,7 @@
 //! The special case of the initialize expressions for table elements offsets or global variables
 //! is handled, according to the semantics of WebAssembly, to only specific expressions that are
 //! interpreted on the fly.
-use crate::environ::{ModuleEnvironment, WasmResult};
+use crate::environ::{ModuleEnvironment, WasmError, WasmResult};
 use crate::state::ModuleTranslationState;
 use crate::translation_utils::{
     tabletype_to_type, type_to_type, FuncIndex, Global, GlobalIndex, GlobalInit, Memory,
@@ -141,7 +141,13 @@ pub fn parse_function_section(
     functions: FunctionSectionReader,
     environ: &mut dyn ModuleEnvironment,
 ) -> WasmResult<()> {
-    environ.reserve_func_types(functions.get_count())?;
+    let num_functions = functions.get_count();
+    if num_functions == std::u32::MAX {
+        // We reserve `u32::MAX` for our own use in cranelift-entity.
+        return Err(WasmError::ImplLimitExceeded);
+    }
+
+    environ.reserve_func_types(num_functions)?;
 
     for entry in functions {
         let sigindex = entry?;
@@ -415,6 +421,11 @@ fn parse_function_name_subsection(
     let mut function_names = HashMap::new();
     for _ in 0..naming_reader.get_count() {
         let Naming { index, name } = naming_reader.read().ok()?;
+        if index == std::u32::MAX {
+            // We reserve `u32::MAX` for our own use in cranelift-entity.
+            return None;
+        }
+
         if function_names
             .insert(FuncIndex::from_u32(index), name)
             .is_some()
diff --git a/cranelift/wasmtests/issue-1306-name-section-with-u32-max-function-index.wasm b/cranelift/wasmtests/issue-1306-name-section-with-u32-max-function-index.wasm
new file mode 100644
index 0000000000000000000000000000000000000000..79d8dc33881dcfaa6d7467b3508f9da0cd629a46
GIT binary patch
literal 381
zcmZQbEY4+Q0D@0UEP08!sf@3f*ctTWqx?*g^NmuC3rdO%jZ=#93*s~L;tO&TlT!`N
zGt4awk_?iKObpG8Q<IDt>lyz80YAGMGh1$IZhlcEliD$c$3M1)ZeFgv!vCqOuD;gp
z)R-2HsnT;r${X`vZs|+pPuk|mRm1zMa?+I^mX<onb@P>s4O2{0O^jSwnbY#~*@TNq
zi%a5DGvW(Ui;DB}5_2+3DkVglnYwc_W0ewew&vMBRypV>+2>TczUxJ9c}T0w=_|RW
z;)%+doIlQUF)Xdq6I5F}J>z3#v{&4eqUPFnLEQ)HA85#JTvDg1GAAKi;OCr^YJo*_
v(l|rzvIu<vnOQL5ddIVT%WtZar?KW#oYLDpTh#f~r-L<lXIhV*qm7RM<usVN

literal 0
HcmV?d00001