Handle negative grow pages to avoid shrinking memory

Signed-off-by: Takeshi Yoneda <[email protected]>
tetratelabs · Mar 5, 2024 · 4b214e2 · 4b214e2
1 parent a4d9346
commit 4b214e2
Show file tree

Hide file tree

Showing 5 changed files with 56 additions and 1 deletion.
diff --git a/internal/integration_test/fuzzcases/fuzzcases_test.go b/internal/integration_test/fuzzcases/fuzzcases_test.go
@@ -1056,3 +1056,10 @@ func Test2112(t *testing.T) {
 	require.Error(t, err)
 	require.Contains(t, err.Error(), "invalid function[0]: unknown misc opcode 0x30")
 }
+
+func Test2118(t *testing.T) {
+	if !platform.CompilerSupported() {
+		return
+	}
+	nodiff.RequireNoDiffT(t, getWasmBinary(t, "2118"), true, true)
+}
diff --git a/internal/integration_test/fuzzcases/testdata/2118.wasm b/internal/integration_test/fuzzcases/testdata/2118.wasm
diff --git a/internal/integration_test/fuzzcases/testdata/2118.wat b/internal/integration_test/fuzzcases/testdata/2118.wat
@@ -0,0 +1,38 @@
+(module
+  (type (;0;) (func (param i32 i32 i32 i32 i32 i64 i32 i32 i32)))
+  (func (;0;) (type 0) (param i32 i32 i32 i32 i32 i64 i32 i32 i32)
+    (local v128)
+    f64.const -0x1.34dbf7bd7ba6p+771 (;=-14984674124766183000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000;)
+    i32.const 0
+    i64.const 0
+    i64.store offset=72462
+    local.get 7
+    i64.const 0
+    i64.store offset=72462
+    i32.const 0
+    i64.const 0
+    i64.store offset=6876
+    i32.const 1
+    i64.const 1
+    i64.store offset=31806 align=1
+    i32.const 1
+    i64.const 1
+    i64.store offset=72462
+    local.get 7
+    i64.const 0
+    i64.store offset=72462
+    i32.const 1
+    i64.const 1
+    i64.store offset=72462
+    i32.const -8476938
+    memory.grow
+    memory.grow
+    i32.ctz
+    local.get 7
+    i64.const 0
+    i64.store offset=72462
+    unreachable
+  )
+  (memory (;0;) 2 7)
+  (export "" (func 0))
+)
diff --git a/internal/wasm/memory.go b/internal/wasm/memory.go
@@ -256,7 +256,7 @@ func (m *MemoryInstance) Grow(delta uint32) (result uint32, ok bool) {
 
 	// If exceeds the max of memory size, we push -1 according to the spec.
 	newPages := currentPages + delta
-	if newPages > m.Max {
+	if newPages > m.Max || int32(delta) < 0 {
 		return 0, false
 	} else if newPages > m.Cap { // grow the memory.
 		if m.Shared {

diff --git a/internal/wasm/memory_test.go b/internal/wasm/memory_test.go
@@ -91,6 +91,16 @@ func TestMemoryInstance_Grow_Size(t *testing.T) {
 	}
 }
 
+func TestMemoryInstance_NegativeDelta(t *testing.T) {
+	m := &MemoryInstance{Buffer: make([]byte, 2*MemoryPageSize)}
+	_negative := -1
+	negativeu32 := uint32(_negative)
+	_, ok := m.Grow(negativeu32)
+	// If the negative page size is given, current_page+delta might overflow, and it can result in accidentally shrinking the memory,
+	// which is obviously not spec compliant.
+	require.False(t, ok)
+}
+
 func TestMemoryInstance_ReadByte(t *testing.T) {
 	mem := &MemoryInstance{Buffer: []byte{0, 0, 0, 0, 0, 0, 0, 16}, Min: 1}
 	v, ok := mem.ReadByte(7)