Skip to content

Commit f9f7943

Browse files
author
Meghana Gupta
committed
add overflow condition
1 parent a3d4ca6 commit f9f7943

File tree

3 files changed

+29
-6
lines changed

3 files changed

+29
-6
lines changed

lib/Backend/LowerMDShared.cpp

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -283,9 +283,12 @@ LowererMD::LowerWasmMemOp(IR::Instr * instr, IR::Opnd *addrOpnd)
283283
IR::Opnd *srcOpnd = IR::IndirOpnd::New(arrayBuffer, Js::ArrayBuffer::GetByteLengthOffset(), TyMachReg, m_func);
284284
IR::RegOpnd *arrayLenOpnd = IR::RegOpnd::New(TyMachReg, m_func);
285285

286-
// Compare index and array buffer length, and generate RuntimeError if greater
286+
// Compare index + memop access length and array buffer length, and generate RuntimeError if greater
287287
Lowerer::InsertMove(arrayLenOpnd, srcOpnd, helperLabel);
288+
Lowerer::InsertAdd(true, indexOpnd, indexOpnd, IR::IntConstOpnd::New(addrOpnd->GetSize(), TyMachReg, m_func), helperLabel);
289+
Lowerer::InsertBranch(Js::OpCode::JO, helperLabel, helperLabel);
288290
m_lowerer->InsertCompareBranch(indexOpnd, arrayLenOpnd, Js::OpCode::BrGe_A, true, helperLabel, helperLabel);
291+
289292
// MGTODO : call RuntimeError once implemented
290293
m_lowerer->GenerateRuntimeError(loadLabel, JSERR_InvalidTypedArrayIndex, IR::HelperOp_RuntimeRangeError);
291294
Lowerer::InsertBranch(Js::OpCode::Br, loadLabel, helperLabel);

lib/Runtime/Language/InterpreterStackFrame.cpp

Lines changed: 24 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -981,6 +981,25 @@ namespace Js
981981
&InterpreterStackFrame::OP_LdArr<int32, int64>,
982982
&InterpreterStackFrame::OP_LdArr<uint32, int64>,
983983
};
984+
985+
const int InterpreterStackFrame::TypeToSizeMap[] =
986+
{
987+
/*int8*/ 1,
988+
/*uint8*/ 1,
989+
/*int16*/ 2,
990+
/*uint16*/ 2,
991+
/*int32*/ 4,
992+
/*uint32*/ 4,
993+
/*float*/ 4,
994+
/*double*/ 8,
995+
/*int64*/ 8,
996+
/*int8*/ 1,
997+
/*uint8*/ 1,
998+
/*int16*/ 2,
999+
/*uint16*/ 2,
1000+
/*int32*/ 4,
1001+
/*uint32*/ 4,
1002+
};
9841003
#endif
9851004

9861005
Var InterpreterStackFrame::InnerScopeFromRegSlot(RegSlot reg) const
@@ -8304,7 +8323,7 @@ const byte * InterpreterStackFrame::OP_ProfiledLoopBodyStart(const byte * ip)
83048323
CompileAssert(Js::ArrayBufferView::TYPE_COUNT == (sizeof(InterpreterStackFrame::LdArrFunc) / sizeof(InterpreterStackFrame::ArrFunc)));
83058324
JavascriptArrayBuffer* arr = *(JavascriptArrayBuffer**)GetNonVarReg(AsmJsFunctionMemory::ArrayBufferRegister);
83068325
BYTE* buffer = arr->GetBuffer();
8307-
ArrayType val = index < (arr->GetByteLength()) ? *(ArrayType*)(buffer + index) : GetArrayViewOverflowVal<ArrayType>();
8326+
ArrayType val = index + sizeof(ArrayType) < (arr->GetByteLength()) ? *(ArrayType*)(buffer + index) : GetArrayViewOverflowVal<ArrayType>();
83088327
SetRegRaw<RegType>(regSlot, (RegType)val);
83098328
}
83108329
#endif
@@ -8341,13 +8360,13 @@ const byte * InterpreterStackFrame::OP_ProfiledLoopBodyStart(const byte * ip)
83418360
void InterpreterStackFrame::OP_LdArrWasm(const unaligned T* playout)
83428361
{
83438362
Assert(playout->ViewType < Js::ArrayBufferView::TYPE_COUNT);
8344-
const uint32 index = (uint32)GetRegRawInt(playout->SlotIndex);
8363+
const uint64 index = (uint64)GetRegRawInt(playout->SlotIndex);
83458364
JavascriptArrayBuffer* arr = *(JavascriptArrayBuffer**)GetNonVarReg(AsmJsFunctionMemory::ArrayBufferRegister);
8346-
if (index >= arr->GetByteLength())
8365+
if (index >= arr->GetByteLength() || index + TypeToSizeMap[playout->ViewType] > arr->GetByteLength())
83478366
{
83488367
JavascriptError::ThrowRangeError(scriptContext, JSERR_InvalidTypedArrayIndex);
83498368
}
8350-
(this->*LdArrFunc[playout->ViewType])(index, playout->Value);
8369+
(this->*LdArrFunc[playout->ViewType])((uint32)index, playout->Value);
83518370
}
83528371
template <class T>
83538372
void InterpreterStackFrame::OP_LdArrConstIndex(const unaligned T* playout)
@@ -8369,7 +8388,7 @@ const byte * InterpreterStackFrame::OP_ProfiledLoopBodyStart(const byte * ip)
83698388
Assert(playout->ViewType < Js::ArrayBufferView::TYPE_COUNT);
83708389
const uint32 index = (uint32)GetRegRawInt(playout->SlotIndex);
83718390
JavascriptArrayBuffer* arr = *(JavascriptArrayBuffer**)GetNonVarReg(AsmJsFunctionMemory::ArrayBufferRegister);
8372-
if (index >= arr->GetByteLength())
8391+
if (index >= arr->GetByteLength() || index + TypeToSizeMap[playout->ViewType] > arr->GetByteLength())
83738392
{
83748393
JavascriptError::ThrowRangeError(scriptContext, JSERR_InvalidTypedArrayIndex);
83758394
}

lib/Runtime/Language/InterpreterStackFrame.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -153,6 +153,7 @@ namespace Js
153153
typedef void(InterpreterStackFrame::*ArrFunc)(uint32, RegSlot);
154154
static const ArrFunc StArrFunc[15];
155155
static const ArrFunc LdArrFunc[15];
156+
static const int TypeToSizeMap[15];
156157
#endif
157158

158159
//This class must have an empty ctor (otherwise it will break the code in InterpreterStackFrame::InterpreterThunk

0 commit comments

Comments
 (0)