[Backport] CVE-2024-2887: Type Confusion in WebAssembly

Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/5380190: Merged: [wasm] Check for type-definition count limit (cherry picked from commit b852ad701db21d6db5b34e66f4ec1cdccd2ec4d4) Bug: chromium:330575498 Change-Id: I395f0ed6d823b7d1e139da6551486e3627d65724 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5378419 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Auto-Submit: Manos Koukoutos <manoskouk@chromium.org> Cr-Original-Commit-Position: refs/heads/main@{#92941} Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5380190 Reviewed-by: Francis McCabe <fgm@chromium.org> Commit-Queue: Adam Klein <adamk@chromium.org> Reviewed-by: Adam Klein <adamk@chromium.org> Cr-Commit-Position: refs/branch-heads/12.2@{#50} Cr-Branched-From: 6eb5a9616aa6f8c705217aeb7c7ab8c037a2f676-refs/heads/12.2.281@{#1} Cr-Branched-From: 44cf56d850167c6988522f8981730462abc04bcc-refs/heads/main@{#91934} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/553298 Reviewed-by: Michal Klocek <michal.klocek@qt.io>
qt · Apr 10, 2024 · 05f91b1 · 05f91b1
1 parent e643f99
commit 05f91b1
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/chromium/v8/src/wasm/module-decoder-impl.h b/chromium/v8/src/wasm/module-decoder-impl.h
@@ -675,6 +675,11 @@ class ModuleDecoderImpl : public Decoder {
         }
       } else {
         if (tracer_) tracer_->TypeOffset(pc_offset());
+        if (initial_size + 1 > kV8MaxWasmTypes) {
+          errorf(pc(), "Type definition count exceeds maximum %zu",
+                 kV8MaxWasmTypes);
+          return;
+        }
         // Similarly to above, we need to resize types for a group of size 1.
         module_->types.resize(initial_size + 1);
         module_->isorecursive_canonical_type_ids.resize(initial_size + 1);