From edc3643909ecb16990ac69c6bd6afafc1fb10242 Mon Sep 17 00:00:00 2001 From: YAMAMOTO Takashi Date: Thu, 1 Feb 2024 13:32:06 +0900 Subject: [PATCH] EH: Fix validation of delegate opcode (#3107) cf. https://github.com/bytecodealliance/wasm-micro-runtime/issues/1884#issuecomment-1914000294 --- core/iwasm/interpreter/wasm_loader.c | 42 +++++++++++++++++++++++----- 1 file changed, 35 insertions(+), 7 deletions(-) diff --git a/core/iwasm/interpreter/wasm_loader.c b/core/iwasm/interpreter/wasm_loader.c index 7b3eb365cd..3811f5a13d 100644 --- a/core/iwasm/interpreter/wasm_loader.c +++ b/core/iwasm/interpreter/wasm_loader.c @@ -7128,6 +7128,40 @@ check_branch_block(WASMLoaderContext *loader_ctx, uint8 **p_buf, uint8 *buf_end, return NULL; } +#if WASM_ENABLE_EXCE_HANDLING != 0 +static BranchBlock * +check_branch_block_for_delegate(WASMLoaderContext *loader_ctx, uint8 **p_buf, + uint8 *buf_end, char *error_buf, + uint32 error_buf_size) +{ + uint8 *p = *p_buf, *p_end = buf_end; + BranchBlock *frame_csp_tmp; + uint32 depth; + + read_leb_uint32(p, p_end, depth); + /* + * Note: "delegate 0" means the surrounding block, not the + * try-delegate block itself. + * + * Note: the caller hasn't popped the try-delegate frame yet. + */ + bh_assert(loader_ctx->csp_num > 0); + if (loader_ctx->csp_num - 1 <= depth) { + set_error_buf(error_buf, error_buf_size, "unknown delegate label"); + goto fail; + } + frame_csp_tmp = loader_ctx->frame_csp - depth - 2; +#if WASM_ENABLE_FAST_INTERP != 0 + emit_br_info(frame_csp_tmp); +#endif + + *p_buf = p; + return frame_csp_tmp; +fail: + return NULL; +} +#endif + static bool check_block_stack(WASMLoaderContext *loader_ctx, BranchBlock *block, char *error_buf, uint32 error_buf_size) @@ -7832,16 +7866,10 @@ wasm_loader_prepare_bytecode(WASMModule *module, WASMFunction *func, case WASM_OP_DELEGATE: { /* check target block is valid */ - if (!(frame_csp_tmp = check_branch_block( + if (!(frame_csp_tmp = check_branch_block_for_delegate( loader_ctx, &p, p_end, error_buf, error_buf_size))) goto fail; - /* valid types */ - if (LABEL_TYPE_TRY != frame_csp_tmp->label_type) { - snprintf(error_buf, error_buf_size, "unknown label"); - goto fail; - } - BranchBlock *cur_block = loader_ctx->frame_csp - 1; uint8 label_type = cur_block->label_type;