New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Jun 2018
Cc:



Sign in to add a comment
link

Issue 1546: Google Chrome: Integer Overflow when Processing WebAssembly Locals

Reported by natashenka@google.com, Mar 8 2018 Project Member

Issue description

When v8 decodes the locals of a function, it performs a check:

if ((count + type_list->size()) > kV8MaxWasmFunctionLocals) {
        decoder->error(decoder->pc() - 1, "local count too large");
        return false;
      }

On a 32-bit platform, this check can be bypassed due to an integer overflow. This allows the number of function locals to be large, and can lead to memory corruption when the locals are allocated.

A PoC is attached. 

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
 
locals
2.9 KB View Download

Comment 1 by natashenka@google.com, Apr 19 2018

Project Member
Labels: -Reported-7-Mar-2018 Reported-2018-Mar-7

Comment 2 by natashenka@google.com, Jun 7 2018

Project Member
Labels: -Restrict-View-Commit CVE-2018-6092
Status: Fixed (was: New)

Sign in to add a comment