Fuzz bug: missing bounds checks in element segment instantiation

WebAssembly / binaryen

Optimizer and compiler/toolchain library for WebAssembly

Apache License 2.0

7.4k stars 729 forks source link

Fuzz bug: missing bounds checks in element segment instantiation #6431

Open tlively opened 5 months ago

tlively commented 5 months ago

V8 very reasonably fails to instantiate this module:

(module
 (table $0 1 funcref)
 (elem $0 (offset (i32.sub (i32.const 0) (i32.const 1))))
)

But our interpreter does not perform the proper bounds checks, so it happily allows instantiation to succeed. Instead of adding the bounds checks, we should have the initialization logic call out to the interpretation of table.init, which is what the spec does.

kripken commented 5 months ago

Looks like we don't have TableInit implemented yet, so that would be the first step here.