Add bounds check for function body size in binary reader#2693
Merged
sbc100 merged 1 commit intoWebAssembly:mainfrom Feb 13, 2026
Merged
Add bounds check for function body size in binary reader#2693sbc100 merged 1 commit intoWebAssembly:mainfrom
sbc100 merged 1 commit intoWebAssembly:mainfrom
Conversation
sbc100
reviewed
Feb 12, 2026
| TEST(BinaryReader, InvalidFunctionBodySize) { | ||
| // A wasm module where the function body size extends past the end of the | ||
| // code section. Without the bounds check this would allow the binary reader | ||
| // to read past the section boundary. |
Member
There was a problem hiding this comment.
Presumably this means we are lacking an upstream spec test for this case?
Maybe add a TODO here to move this test upstream into the spec repo?
Contributor
Author
There was a problem hiding this comment.
Done, added a TODO to move this test upstream into the spec repo.
sbc100
approved these changes
Feb 12, 2026
ReadCodeSection computed end_offset = body_start_offset + body_size without validating that end_offset falls within the code section boundary. A crafted module with an oversized body_size could cause the reader to parse past the section end, reading into subsequent sections or past the end of the buffer. Add an ERROR_UNLESS check that end_offset does not overflow and does not exceed read_end_, matching the validation pattern used elsewhere in the binary reader for section and subsection sizes. Add a regression test with a wasm module whose function body size exceeds the code section boundary.
sumleo
force-pushed
the
fix/binary-reader-body-size-check
branch
from
86e5173 to
b6aefa2
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ReadCodeSectioncomputedend_offset = body_start_offset + body_sizewithout validating thatend_offsetfalls within the code section boundary (read_end_).body_sizecould cause the reader to parse past the section end.ERROR_UNLESScheck that validatesend_offsetagainstread_end_, matching the validation pattern used elsewhere for section and subsection sizes.Details
In
binary-reader.cc,ReadCodeSectionreadsbody_sizevia LEB128 and computes the expected end offset:The
end_offsetis later used to setstate_.offset(whenskip_function_bodiesis true) and passed toReadFunctionBodyas the expected end position. Without bounds validation, a malformedbody_sizeallows reading past the code section boundary.Fix: Add
ERROR_UNLESS(end_offset >= body_start_offset && end_offset <= read_end_, ...)immediately after computingend_offset.Test plan
BinaryReader.InvalidFunctionBodySizeexercises the fix with a wasm module whose function body size (255 bytes) exceeds the code section