Handle out-of-bounds component sections (#8323) (#8339)

* Handle out-of-bounds component sections Fixes https://github.com/bytecodealliance/wasmtime/issues/8322 * Add a test that trancated component binaries don't cause panics Co-authored-by: Nick Fitzgerald <fitzgen@gmail.com>
7 months ago · a6a22c0dd9
2 changed files with 56 additions and 1 deletions
--- a/crates/environ/src/component/translate.rs
+++ b/crates/environ/src/component/translate.rs
@ -4,6 +4,7 @@ use crate::{
    EntityIndex, ModuleEnvironment, ModuleTranslation, ModuleTypesBuilder, PrimaryMap,
    SignatureIndex, Tunables, TypeConvert, WasmHeapType, WasmType,
 };
+use anyhow::anyhow;
 use anyhow::{bail, Result};
 use indexmap::IndexMap;
 use std::collections::HashMap;
@ -533,7 +534,18 @@ impl<'a, 'data> Translator<'a, 'data> {
                    self.validator,
                    self.types.module_types_builder(),
                )
-                .translate(parser, &component[range.start..range.end])?;
+                .translate(
+                    parser,
+                    component.get(range.start..range.end).ok_or_else(|| {
+                        anyhow!(
+                            "section range {}..{} is out of bounds (bound = {})",
+                            range.start,
+                            range.end,
+                            component.len()
+                        )
+                        .context("wasm component contains an invalid module section")
+                    })?,
+                )?;
                let static_idx = self.static_modules.push(translation);
                self.result
                    .initializers
--- a/tests/all/component_model/aot.rs
+++ b/tests/all/component_model/aot.rs
@ -133,3 +133,46 @@ fn detect_precompiled() -> Result<()> {
    );
    Ok(())
 }
+
+#[test]
+#[cfg_attr(miri, ignore)]
+fn truncated_component_binaries_dont_panic() -> Result<()> {
+    let engine = super::engine();
+
+    let binary = wat::parse_str(
+        r#"
+        (component
+            (import "a" (core module $m0
+                (import "" "" (func))
+            ))
+
+            (core module $m1
+                (func (export ""))
+            )
+            (core instance $i1 (instantiate (module $m1)))
+            (func $f (canon lift (core func $i1 "f")))
+
+            (component $c1
+                (import "f" (func))
+                (core module $m2
+                    (func (export "g"))
+                )
+                (core instance $i2 (instantiate $m2))
+                (func (export "g")
+                    (canon lift (core func $i2 "g"))
+                )
+            )
+            (instance $i3 (instantiate $c1 (with "f" (func $f))))
+            (func (export "g") (alias export $i3 "g"))
+        )
+        "#,
+    )?;
+
+    // Check that if we feed each truncation of the component binary into
+    // `Component::new` we don't get any panics.
+    for i in 1..binary.len() - 1 {
+        let _ = Component::from_binary(&engine, &binary[0..i]);
+    }
+
+    Ok(())
+}