fluencelabs/assemblyscript
1
0
Fork 0
mirror of https://github.com/fluencelabs/assemblyscript synced 2025-04-26 15:32:16 +00:00
Code Issues Projects Releases Wiki Activity

Fix possible out of bounds read in string UTF8 conversion

Browse Source
This commit is contained in:
dcodeIO 2018-05-23 15:37:09 +02:00
parent 829af2285c
commit 51ede113dd
7 changed files with 687 additions and 658 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
dist/asc.js vendored
View File

File diff suppressed because one or more lines are too long

2
dist/asc.js.map vendored
View File

File diff suppressed because one or more lines are too long

71
std/assembly/string.ts
View File

@ -414,57 +414,62 @@ export class String {
} }
get lengthUTF8(): i32 { get lengthUTF8(): i32 {
var blen = 1; // null terminated var len = 1; // null terminated
for (let i: usize = 0, k = <usize>this.length; i < k;) { var pos: usize = 0;
let c = <u32>load<u16>(changetype<usize>(this) + (i << 1), HEADER_SIZE); var end = <usize>this.length;
while (pos < end) {
let c = <u32>load<u16>(changetype<usize>(this) + (pos << 1), HEADER_SIZE);
if (c < 128) { if (c < 128) {
blen += 1; ++i; len += 1; ++pos;
} else if (c < 2048) { } else if (c < 2048) {
blen += 2; ++i; len += 2; ++pos;
} else if (
(c & 0xFC00) === 0xD800 &&
(<u32>load<u16>(changetype<usize>(this) + ((i + 1) << 1), HEADER_SIZE) & 0xFC00) === 0xDC00
) {
blen += 4; i += 2;
} else { } else {
blen += 3; ++i; if (
(c & 0xFC00) == 0xD800 && pos + 1 < end &&
(<u32>load<u16>(changetype<usize>(this) + ((pos + 1) << 1), HEADER_SIZE) & 0xFC00) == 0xDC00
) {
len += 4; pos += 2;
} else {
len += 3; ++pos;
} }
} }
return blen; }
return len;
} }
toUTF8(): usize { toUTF8(): usize {
var len = this.lengthUTF8; var buf = allocate_memory(<usize>this.lengthUTF8);
var buf = allocate_memory(len); var pos: usize = 0;
var end = <usize>this.length;
var off: usize = 0; var off: usize = 0;
for (let i: usize = 0, k = <usize>this.length; i < k;) { while (pos < end) {
let c1 = <u32>load<u16>(changetype<usize>(this) + (i << 1), HEADER_SIZE); let c1 = <u32>load<u16>(changetype<usize>(this) + (pos << 1), HEADER_SIZE);
if (c1 < 128) { if (c1 < 128) {
store<u8>(buf + off, c1); store<u8>(buf + off, c1);
++off; ++i; ++off; ++pos;
} else if (c1 < 2048) { } else if (c1 < 2048) {
let pos = buf + off; let ptr = buf + off;
store<u8>(pos, c1 >> 6 | 192); store<u8>(ptr, c1 >> 6 | 192);
store<u8>(pos, c1 & 63 | 128, 1); store<u8>(ptr, c1 & 63 | 128, 1);
off += 2; ++i; off += 2; ++pos;
} else { } else {
let pos = buf + off; let ptr = buf + off;
if ((c1 & 0xFC00) == 0xD800) { if ((c1 & 0xFC00) == 0xD800 && pos + 1 < end) {
let c2 = <u32>load<u16>(changetype<usize>(this) + ((i + 1) << 1), HEADER_SIZE); let c2 = <u32>load<u16>(changetype<usize>(this) + ((pos + 1) << 1), HEADER_SIZE);
if ((c2 & 0xFC00) == 0xDC00) { if ((c2 & 0xFC00) == 0xDC00) {
c1 = 0x10000 + ((c1 & 0x03FF) << 10) + (c2 & 0x03FF); c1 = 0x10000 + ((c1 & 0x03FF) << 10) + (c2 & 0x03FF);
store<u8>(pos, c1 >> 18 | 240); store<u8>(ptr, c1 >> 18 | 240);
store<u8>(pos, c1 >> 12 & 63 | 128, 1); store<u8>(ptr, c1 >> 12 & 63 | 128, 1);
store<u8>(pos, c1 >> 6 & 63 | 128, 2); store<u8>(ptr, c1 >> 6 & 63 | 128, 2);
store<u8>(pos, c1 & 63 | 128, 3); store<u8>(ptr, c1 & 63 | 128, 3);
off += 4; i += 2; off += 4; pos += 2;
continue; continue;
} }
} }
store<u8>(pos, c1 >> 12 | 224); store<u8>(ptr, c1 >> 12 | 224);
store<u8>(pos, c1 >> 6 & 63 | 128, 1); store<u8>(ptr, c1 >> 6 & 63 | 128, 1);
store<u8>(pos, c1 & 63 | 128, 2); store<u8>(ptr, c1 & 63 | 128, 2);
off += 3; ++i; off += 3; ++pos;
} }
} }
store<u8>(buf + off, 0); store<u8>(buf + off, 0);

116
tests/compiler/std/string-utf8.optimized.wat
View File

@ -23,19 +23,18 @@
(set_local $1 (set_local $1
(i32.const 1) (i32.const 1)
) )
(block $break|0
(set_local $4 (set_local $4
(i32.load (i32.load
(get_local $0) (get_local $0)
) )
) )
(loop $loop|0 (loop $continue|0
(br_if $break|0 (if
(i32.ge_u (i32.lt_u
(get_local $2) (get_local $2)
(get_local $4) (get_local $4)
) )
) (block
(set_local $2 (set_local $2
(if (result i32) (if (result i32)
(i32.lt_u (i32.lt_u
@ -81,6 +80,7 @@
(i32.const 1) (i32.const 1)
) )
) )
(if (result i32)
(if (result i32) (if (result i32)
(if (result i32) (if (result i32)
(tee_local $3 (tee_local $3
@ -92,6 +92,17 @@
(i32.const 55296) (i32.const 55296)
) )
) )
(tee_local $3
(i32.lt_u
(i32.add
(get_local $2)
(i32.const 1)
)
(get_local $4)
)
)
(get_local $3)
)
(i32.eq (i32.eq
(i32.and (i32.and
(i32.load16_u offset=4 (i32.load16_u offset=4
@ -140,7 +151,8 @@
) )
) )
) )
(br $loop|0) (br $continue|0)
)
) )
) )
(get_local $1) (get_local $1)
@ -249,29 +261,26 @@
) )
) )
) )
(block $break|0 (set_local $7
(set_local $6
(i32.load (i32.load
(get_local $0) (get_local $0)
) )
) )
(loop $loop|0 (loop $continue|0
(block $continue|0 (if
(br_if $break|0 (i32.lt_u
(i32.ge_u (get_local $3)
(get_local $2) (get_local $7)
(get_local $6)
) )
) (block
(set_local $3 (if
(if (result i32)
(i32.lt_u (i32.lt_u
(tee_local $1 (tee_local $1
(i32.load16_u offset=4 (i32.load16_u offset=4
(i32.add (i32.add
(get_local $0) (get_local $0)
(i32.shl (i32.shl
(get_local $2) (get_local $3)
(i32.const 1) (i32.const 1)
) )
) )
@ -279,11 +288,11 @@
) )
(i32.const 128) (i32.const 128)
) )
(block (result i32) (block
(i32.store8 (i32.store8
(i32.add (i32.add
(get_local $5) (get_local $5)
(get_local $3) (get_local $2)
) )
(get_local $1) (get_local $1)
) )
@ -293,22 +302,18 @@
(i32.const 1) (i32.const 1)
) )
) )
(i32.add
(get_local $3)
(i32.const 1)
) )
) (if
(if (result i32)
(i32.lt_u (i32.lt_u
(get_local $1) (get_local $1)
(i32.const 2048) (i32.const 2048)
) )
(block (result i32) (block
(i32.store8 (i32.store8
(tee_local $4 (tee_local $4
(i32.add (i32.add
(get_local $5) (get_local $5)
(get_local $3) (get_local $2)
) )
) )
(i32.or (i32.or
@ -332,22 +337,20 @@
(set_local $2 (set_local $2
(i32.add (i32.add
(get_local $2) (get_local $2)
(i32.const 1)
)
)
(i32.add
(get_local $3)
(i32.const 2) (i32.const 2)
) )
) )
(block (result i32) )
(block
(set_local $4 (set_local $4
(i32.add (i32.add
(get_local $5) (get_local $5)
(get_local $3) (get_local $2)
) )
) )
(if (if
(if (result i32)
(tee_local $6
(i32.eq (i32.eq
(i32.and (i32.and
(get_local $1) (get_local $1)
@ -355,16 +358,26 @@
) )
(i32.const 55296) (i32.const 55296)
) )
)
(i32.lt_u
(i32.add
(get_local $3)
(i32.const 1)
)
(get_local $7)
)
(get_local $6)
)
(if (if
(i32.eq (i32.eq
(i32.and (i32.and
(tee_local $7 (tee_local $6
(i32.load16_u offset=4 (i32.load16_u offset=4
(i32.add (i32.add
(get_local $0) (get_local $0)
(i32.shl (i32.shl
(i32.add (i32.add
(get_local $2) (get_local $3)
(i32.const 1) (i32.const 1)
) )
(i32.const 1) (i32.const 1)
@ -394,7 +407,7 @@
(i32.const 65536) (i32.const 65536)
) )
(i32.and (i32.and
(get_local $7) (get_local $6)
(i32.const 1023) (i32.const 1023)
) )
) )
@ -440,19 +453,19 @@
(i32.const 128) (i32.const 128)
) )
) )
(set_local $3
(i32.add
(get_local $3)
(i32.const 4)
)
)
(set_local $2 (set_local $2
(i32.add (i32.add
(get_local $2) (get_local $2)
(i32.const 4)
)
)
(set_local $3
(i32.add
(get_local $3)
(i32.const 2) (i32.const 2)
) )
) )
(br $loop|0) (br $continue|0)
) )
) )
) )
@ -492,25 +505,26 @@
(set_local $2 (set_local $2
(i32.add (i32.add
(get_local $2) (get_local $2)
(i32.const 1)
)
)
(i32.add
(get_local $3)
(i32.const 3) (i32.const 3)
) )
) )
) )
) )
) )
(set_local $3
(i32.add
(get_local $3)
(i32.const 1)
)
)
(br $continue|0)
) )
(br $loop|0)
) )
) )
(i32.store8 (i32.store8
(i32.add (i32.add
(get_local $5) (get_local $5)
(get_local $3) (get_local $2)
) )
(i32.const 0) (i32.const 0)
) )

206
tests/compiler/std/string-utf8.untouched.wat
View File

@ -29,8 +29,6 @@
(set_local $1 (set_local $1
(i32.const 1) (i32.const 1)
) )
(block $break|0
(block
(set_local $2 (set_local $2
(i32.const 0) (i32.const 0)
) )
@ -39,17 +37,14 @@
(get_local $0) (get_local $0)
) )
) )
) (block $break|0
(loop $loop|0 (loop $continue|0
(block $continue|0 (if
(br_if $break|0
(i32.eqz
(i32.lt_u (i32.lt_u
(get_local $2) (get_local $2)
(get_local $3) (get_local $3)
) )
) (block
)
(block (block
(set_local $4 (set_local $4
(i32.load16_u offset=4 (i32.load16_u offset=4
@ -101,6 +96,8 @@
) )
) )
(if (if
(if (result i32)
(tee_local $5
(if (result i32) (if (result i32)
(tee_local $5 (tee_local $5
(i32.eq (i32.eq
@ -111,6 +108,16 @@
(i32.const 55296) (i32.const 55296)
) )
) )
(i32.lt_u
(i32.add
(get_local $2)
(i32.const 1)
)
(get_local $3)
)
(get_local $5)
)
)
(i32.eq (i32.eq
(i32.and (i32.and
(i32.load16_u offset=4 (i32.load16_u offset=4
@ -163,9 +170,9 @@
) )
) )
) )
(br $continue|0)
)
) )
(nop)
(br $loop|0)
) )
) )
(return (return
@ -290,48 +297,39 @@
(local $5 i32) (local $5 i32)
(local $6 i32) (local $6 i32)
(local $7 i32) (local $7 i32)
(local $8 i32)
(set_local $1 (set_local $1
(call $~lib/allocator/arena/allocate_memory
(call $~lib/string/String#get:lengthUTF8 (call $~lib/string/String#get:lengthUTF8
(get_local $0) (get_local $0)
) )
) )
(set_local $2
(call $~lib/allocator/arena/allocate_memory
(get_local $1)
) )
(set_local $2
(i32.const 0)
) )
(set_local $3 (set_local $3
(i32.const 0)
)
(block $break|0
(block
(set_local $4
(i32.const 0)
)
(set_local $5
(i32.load (i32.load
(get_local $0) (get_local $0)
) )
) )
(set_local $4
(i32.const 0)
) )
(loop $loop|0 (block $break|0
(block $continue|0 (loop $continue|0
(br_if $break|0 (if
(i32.eqz
(i32.lt_u (i32.lt_u
(get_local $4) (get_local $2)
(get_local $5) (get_local $3)
)
)
) )
(block (block
(set_local $6 (block
(set_local $5
(i32.load16_u offset=4 (i32.load16_u offset=4
(i32.add (i32.add
(get_local $0) (get_local $0)
(i32.shl (i32.shl
(get_local $4) (get_local $2)
(i32.const 1) (i32.const 1)
) )
) )
@ -339,22 +337,16 @@
) )
(if (if
(i32.lt_u (i32.lt_u
(get_local $6) (get_local $5)
(i32.const 128) (i32.const 128)
) )
(block (block
(i32.store8 (i32.store8
(i32.add (i32.add
(get_local $2) (get_local $1)
(get_local $3) (get_local $4)
)
(get_local $6)
)
(set_local $3
(i32.add
(get_local $3)
(i32.const 1)
) )
(get_local $5)
) )
(set_local $4 (set_local $4
(i32.add (i32.add
@ -362,75 +354,93 @@
(i32.const 1) (i32.const 1)
) )
) )
(set_local $2
(i32.add
(get_local $2)
(i32.const 1)
)
)
) )
(if (if
(i32.lt_u (i32.lt_u
(get_local $6) (get_local $5)
(i32.const 2048) (i32.const 2048)
) )
(block (block
(set_local $7 (set_local $6
(i32.add (i32.add
(get_local $2) (get_local $1)
(get_local $3) (get_local $4)
) )
) )
(i32.store8 (i32.store8
(get_local $7) (get_local $6)
(i32.or (i32.or
(i32.shr_u (i32.shr_u
(get_local $6) (get_local $5)
(i32.const 6) (i32.const 6)
) )
(i32.const 192) (i32.const 192)
) )
) )
(i32.store8 offset=1 (i32.store8 offset=1
(get_local $7) (get_local $6)
(i32.or (i32.or
(i32.and (i32.and
(get_local $6) (get_local $5)
(i32.const 63) (i32.const 63)
) )
(i32.const 128) (i32.const 128)
) )
) )
(set_local $3
(i32.add
(get_local $3)
(i32.const 2)
)
)
(set_local $4 (set_local $4
(i32.add (i32.add
(get_local $4) (get_local $4)
(i32.const 2)
)
)
(set_local $2
(i32.add
(get_local $2)
(i32.const 1) (i32.const 1)
) )
) )
) )
(block (block
(set_local $7 (set_local $6
(i32.add (i32.add
(get_local $2) (get_local $1)
(get_local $3) (get_local $4)
) )
) )
(if (if
(if (result i32)
(tee_local $7
(i32.eq (i32.eq
(i32.and (i32.and
(get_local $6) (get_local $5)
(i32.const 64512) (i32.const 64512)
) )
(i32.const 55296) (i32.const 55296)
) )
)
(i32.lt_u
(i32.add
(get_local $2)
(i32.const 1)
)
(get_local $3)
)
(get_local $7)
)
(block (block
(set_local $8 (set_local $7
(i32.load16_u offset=4 (i32.load16_u offset=4
(i32.add (i32.add
(get_local $0) (get_local $0)
(i32.shl (i32.shl
(i32.add (i32.add
(get_local $4) (get_local $2)
(i32.const 1) (i32.const 1)
) )
(i32.const 1) (i32.const 1)
@ -441,46 +451,46 @@
(if (if
(i32.eq (i32.eq
(i32.and (i32.and
(get_local $8) (get_local $7)
(i32.const 64512) (i32.const 64512)
) )
(i32.const 56320) (i32.const 56320)
) )
(block (block
(set_local $6 (set_local $5
(i32.add (i32.add
(i32.add (i32.add
(i32.const 65536) (i32.const 65536)
(i32.shl (i32.shl
(i32.and (i32.and
(get_local $6) (get_local $5)
(i32.const 1023) (i32.const 1023)
) )
(i32.const 10) (i32.const 10)
) )
) )
(i32.and (i32.and
(get_local $8) (get_local $7)
(i32.const 1023) (i32.const 1023)
) )
) )
) )
(i32.store8 (i32.store8
(get_local $7) (get_local $6)
(i32.or (i32.or
(i32.shr_u (i32.shr_u
(get_local $6) (get_local $5)
(i32.const 18) (i32.const 18)
) )
(i32.const 240) (i32.const 240)
) )
) )
(i32.store8 offset=1 (i32.store8 offset=1
(get_local $7) (get_local $6)
(i32.or (i32.or
(i32.and (i32.and
(i32.shr_u (i32.shr_u
(get_local $6) (get_local $5)
(i32.const 12) (i32.const 12)
) )
(i32.const 63) (i32.const 63)
@ -489,11 +499,11 @@
) )
) )
(i32.store8 offset=2 (i32.store8 offset=2
(get_local $7) (get_local $6)
(i32.or (i32.or
(i32.and (i32.and
(i32.shr_u (i32.shr_u
(get_local $6) (get_local $5)
(i32.const 6) (i32.const 6)
) )
(i32.const 63) (i32.const 63)
@ -502,24 +512,24 @@
) )
) )
(i32.store8 offset=3 (i32.store8 offset=3
(get_local $7) (get_local $6)
(i32.or (i32.or
(i32.and (i32.and
(get_local $6) (get_local $5)
(i32.const 63) (i32.const 63)
) )
(i32.const 128) (i32.const 128)
) )
) )
(set_local $3
(i32.add
(get_local $3)
(i32.const 4)
)
)
(set_local $4 (set_local $4
(i32.add (i32.add
(get_local $4) (get_local $4)
(i32.const 4)
)
)
(set_local $2
(i32.add
(get_local $2)
(i32.const 2) (i32.const 2)
) )
) )
@ -529,21 +539,21 @@
) )
) )
(i32.store8 (i32.store8
(get_local $7) (get_local $6)
(i32.or (i32.or
(i32.shr_u (i32.shr_u
(get_local $6) (get_local $5)
(i32.const 12) (i32.const 12)
) )
(i32.const 224) (i32.const 224)
) )
) )
(i32.store8 offset=1 (i32.store8 offset=1
(get_local $7) (get_local $6)
(i32.or (i32.or
(i32.and (i32.and
(i32.shr_u (i32.shr_u
(get_local $6) (get_local $5)
(i32.const 6) (i32.const 6)
) )
(i32.const 63) (i32.const 63)
@ -552,24 +562,24 @@
) )
) )
(i32.store8 offset=2 (i32.store8 offset=2
(get_local $7) (get_local $6)
(i32.or (i32.or
(i32.and (i32.and
(get_local $6) (get_local $5)
(i32.const 63) (i32.const 63)
) )
(i32.const 128) (i32.const 128)
) )
) )
(set_local $3
(i32.add
(get_local $3)
(i32.const 3)
)
)
(set_local $4 (set_local $4
(i32.add (i32.add
(get_local $4) (get_local $4)
(i32.const 3)
)
)
(set_local $2
(i32.add
(get_local $2)
(i32.const 1) (i32.const 1)
) )
) )
@ -577,20 +587,20 @@
) )
) )
) )
(br $continue|0)
)
) )
(nop)
(br $loop|0)
) )
) )
(i32.store8 (i32.store8
(i32.add (i32.add
(get_local $2) (get_local $1)
(get_local $3) (get_local $4)
) )
(i32.const 0) (i32.const 0)
) )
(return (return
(get_local $2) (get_local $1)
) )
) )
(func $~lib/allocator/arena/free_memory (; 4 ;) (type $iv) (param $0 i32) (func $~lib/allocator/arena/free_memory (; 4 ;) (type $iv) (param $0 i32)

2
tests/compiler/std/string.optimized.wat
View File

@ -980,7 +980,7 @@
(call $~lib/env/abort (call $~lib/env/abort
(i32.const 0) (i32.const 0)
(i32.const 76) (i32.const 76)
(i32.const 524) (i32.const 529)
(i32.const 10) (i32.const 10)
) )
(unreachable) (unreachable)

2
tests/compiler/std/string.untouched.wat
View File

@ -1159,7 +1159,7 @@
(call $~lib/env/abort (call $~lib/env/abort
(i32.const 0) (i32.const 0)
(i32.const 76) (i32.const 76)
(i32.const 524) (i32.const 529)
(i32.const 10) (i32.const 10)
) )
(unreachable) (unreachable)