New issue
Advanced search Search tips

Issue 1546 link

Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Closed: Jun 7
Cc:



Sign in to add a comment

Google Chrome: Integer Overflow when Processing WebAssembly Locals

Project Member Reported by natashenka@google.com, Mar 8 2018

Issue description

When v8 decodes the locals of a function, it performs a check:

if ((count + type_list->size()) > kV8MaxWasmFunctionLocals) {
        decoder->error(decoder->pc() - 1, "local count too large");
        return false;
      }

On a 32-bit platform, this check can be bypassed due to an integer overflow. This allows the number of function locals to be large, and can lead to memory corruption when the locals are allocated.

A PoC is attached. 

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

 
locals
2.9 KB View Download
Project Member

Comment 1 by natashenka@google.com, Apr 19 2018

Labels: -Reported-7-Mar-2018 Reported-2018-Mar-7
Project Member

Comment 2 by natashenka@google.com, Jun 7

Labels: -Restrict-View-Commit CVE-2018-6092
Status: Fixed (was: New)

Sign in to add a comment