ubsan: wasm: shift is too large for 64-bit type 'bfd_vma'

bfd/ * wasm-module.c (wasm_read_leb128): Don't allow oversize shifts. Catch value overflow. Sign extend only on terminating byte. opcodes/ * wasm32-dis.c (wasm_read_leb128): Don't allow oversize shifts. Catch value overflow. Sign extend only on terminating byte.
6 years ago · 27c1c4271a
4 changed files with 43 additions and 19 deletions
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@ -1,3 +1,8 @@
+2019-12-23  Alan Modra  <amodra@gmail.com>
+
+	* wasm-module.c (wasm_read_leb128): Don't allow oversize shifts.
+	Catch value overflow.  Sign extend only on terminating byte.
+
 2019-12-20  Alan Modra  <amodra@gmail.com>

 	* xtensa-isa.c (xtensa_insnbuf_from_chars): Avoid signed overflow.
--- a/bfd/wasm-module.c
+++ b/bfd/wasm-module.c
@ -111,18 +111,28 @@ wasm_read_leb128 (bfd *		  abfd,
  unsigned int num_read = 0;
  unsigned int shift = 0;
  unsigned char byte = 0;
-  bfd_boolean success = FALSE;
+  int status = 1;

  while (bfd_bread (&byte, 1, abfd) == 1)
    {
      num_read++;

-      result |= ((bfd_vma) (byte & 0x7f)) << shift;
+      if (shift < sizeof (result) * 8)
+	{
+	  result |= ((bfd_vma) (byte & 0x7f)) << shift;
+	  if ((result >> shift) != (byte & 0x7f))
+	    /* Overflow.  */
+	    status |= 2;
+	  shift += 7;
+	}
+      else if ((byte & 0x7f) != 0)
+	status |= 2;

-      shift += 7;
      if ((byte & 0x80) == 0)
 	{
-	  success = TRUE;
+	  status &= ~1;
+	  if (sign && (shift < 8 * sizeof (result)) && (byte & 0x40))
+	    result |= -((bfd_vma) 1 << shift);
 	  break;
 	}
    }
@ -130,10 +140,7 @@ wasm_read_leb128 (bfd *		  abfd,
  if (length_return != NULL)
    *length_return = num_read;
  if (error_return != NULL)
-    *error_return = ! success;
-
-  if (sign && (shift < 8 * sizeof (result)) && (byte & 0x40))
-    result |= -((bfd_vma) 1 << shift);
+    *error_return = status != 0;

  return result;
 }
--- a/opcodes/ChangeLog
+++ b/opcodes/ChangeLog
@ -1,3 +1,8 @@
+2019-12-23  Alan Modra  <amodra@gmail.com>
+
+	* wasm32-dis.c (wasm_read_leb128): Don't allow oversize shifts.
+	Catch value overflow.  Sign extend only on terminating byte.
+
 2019-12-20  Alan Modra  <amodra@gmail.com>

 	PR 25281
--- a/opcodes/wasm32-dis.c
+++ b/opcodes/wasm32-dis.c
@ -192,29 +192,36 @@ wasm_read_leb128 (bfd_vma                   pc,
  unsigned int num_read = 0;
  unsigned int shift = 0;
  unsigned char byte = 0;
-  bfd_boolean success = FALSE;
+  int status = 1;

  while (info->read_memory_func (pc + num_read, &byte, 1, info) == 0)
    {
      num_read++;

-      result |= ((bfd_vma) (byte & 0x7f)) << shift;
+      if (shift < sizeof (result) * 8)
+	{
+	  result |= ((uint64_t) (byte & 0x7f)) << shift;
+	  if ((result >> shift) != (byte & 0x7f))
+	    /* Overflow.  */
+	    status |= 2;
+	  shift += 7;
+	}
+      else if ((byte & 0x7f) != 0)
+	status |= 2;

-      shift += 7;
      if ((byte & 0x80) == 0)
-        {
-          success = TRUE;
-          break;
-        }
+	{
+	  status &= ~1;
+	  if (sign && (shift < 8 * sizeof (result)) && (byte & 0x40))
+	    result |= -((uint64_t) 1 << shift);
+	  break;
+	}
    }

  if (length_return != NULL)
    *length_return = num_read;
  if (error_return != NULL)
-    *error_return = ! success;
-
-  if (sign && (shift < 8 * sizeof (result)) && (byte & 0x40))
-    result |= -((uint64_t) 1 << shift);
+    *error_return = status != 0;

  return result;
 }