v8: make sure we're operating in a wasm32 memory space. (#307)

PiotrSikora · web-flow · commit 4fcf895fa243 · 2022-08-05T02:43:10.000-05:00
Reported by Chris Ertl from Google Security.

Signed-off-by: Piotr Sikora &lt;piotrsikora@google.com&gt;
diff --git a/src/v8/v8.cc b/src/v8/v8.cc
@@ -469,6 +469,10 @@ uint64_t V8::getMemorySize() { return memory_->data_size(); }
 
 std::optional<std::string_view> V8::getMemory(uint64_t pointer, uint64_t size) {
   assert(memory_ != nullptr);
+  // Make sure we're operating in a wasm32 memory space.
+  if (pointer > UINT32_MAX || size > UINT32_MAX || pointer + size > UINT32_MAX) {
+    return std::nullopt;
+  }
   if (pointer + size > memory_->data_size()) {
     return std::nullopt;
   }
@@ -477,6 +481,10 @@ std::optional<std::string_view> V8::getMemory(uint64_t pointer, uint64_t size) {
 
 bool V8::setMemory(uint64_t pointer, uint64_t size, const void *data) {
   assert(memory_ != nullptr);
+  // Make sure we're operating in a wasm32 memory space.
+  if (pointer > UINT32_MAX || size > UINT32_MAX || pointer + size > UINT32_MAX) {
+    return false;
+  }
   if (pointer + size > memory_->data_size()) {
     return false;
   }
@@ -486,6 +494,10 @@ bool V8::setMemory(uint64_t pointer, uint64_t size, const void *data) {
 
 bool V8::getWord(uint64_t pointer, Word *word) {
   constexpr auto size = sizeof(uint32_t);
+  // Make sure we're operating in a wasm32 memory space.
+  if (pointer > UINT32_MAX || pointer + size > UINT32_MAX) {
+    return false;
+  }
   if (pointer + size > memory_->data_size()) {
     return false;
   }
@@ -497,6 +509,10 @@ bool V8::getWord(uint64_t pointer, Word *word) {
 
 bool V8::setWord(uint64_t pointer, Word word) {
   constexpr auto size = sizeof(uint32_t);
+  // Make sure we're operating in a wasm32 memory space.
+  if (pointer > UINT32_MAX || pointer + size > UINT32_MAX) {
+    return false;
+  }
   if (pointer + size > memory_->data_size()) {
     return false;
   }
