Fix integer overflow in section and subsection size checks#2694
Merged
sbc100 merged 1 commit intoWebAssembly:mainfrom Feb 13, 2026
Merged
Fix integer overflow in section and subsection size checks#2694sbc100 merged 1 commit intoWebAssembly:mainfrom
sbc100 merged 1 commit intoWebAssembly:mainfrom
Conversation
sumleo
force-pushed
the
fix/binary-reader-size-overflow
branch
from
e4704eb to
8ebb9a4
Compare
sbc100
approved these changes
Feb 12, 2026
Member
sbc100
left a comment
sbc100
left a comment
There was a problem hiding this comment.
Thanks!
As with the other new tests, I wonder if we should have a TODO to move these tests upstream?
sumleo
force-pushed
the
fix/binary-reader-size-overflow
branch
from
8ebb9a4 to
52f9592
Compare
Contributor
Author
|
Done, added TODO comments to both tests to move them upstream into the spec repo. |
Multiple places in the binary reader computed boundary offsets by adding a size value to the current position before checking bounds: read_end_ = state_.offset + section_size; subsection_end = state_.offset + subsection_size; state_.offset + str_len <= read_end_ state_.offset + size <= read_end_ On platforms where size_t is 32-bit, a large size value can cause the addition to wrap around, producing a small result that incorrectly passes subsequent bounds checks. Replace all addition-based checks with subtraction-based equivalents (e.g. `size > read_end_ - state_.offset`), which are safe because the invariant state_.offset <= read_end_ is always maintained. Affected functions: - ReadSections (section size) - ReadNameSection (subsection size) - ReadDylinkSection (subsection size) - ReadLinkingSection (subsection size) - ReadStr (string length) - ReadBytesWithSize (data size) Add regression tests with oversized section and subsection sizes.
auto-merge was automatically disabled
February 13, 2026 14:35
Head branch was pushed to by a user without write access
sumleo
force-pushed
the
fix/binary-reader-size-overflow
branch
from
52f9592 to
529663b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
read_end_ = state_.offset + section_size). On platforms wheresize_tis 32-bit, large size values cause the addition to wrap around, producing a small result that incorrectly passes subsequent bounds checks.size > end - offset), which are safe because the invariantstate_.offset <= read_end_is always maintained.Details
The vulnerable pattern appears in 6 locations:
ReadSectionsread_end_ = state_.offset + section_sizeReadNameSectionsubsection_end = state_.offset + subsection_sizeReadDylinkSectionsubsection_end = state_.offset + subsection_sizeReadLinkingSectionsubsection_end = state_.offset + subsection_sizeReadStrstate_.offset + str_len <= read_end_ReadBytesWithSizestate_.offset + size <= read_end_On 32-bit platforms where
Offsetissize_t(=uint32_t), asection_sizeof e.g.0xFFFFFFF0added to an offset of0x20produces0x10, which passes the checkread_end_ <= state_.sizeeven though the section extends far past the buffer.Fix: Use subtraction from the known-good bound instead:
For
ReadSections, add an explicit overflow check before computingread_end_.Test plan
BinaryReader.OversizedSectionSizewith a 2 GiB section size in a tiny moduleBinaryReader.OversizedSubsectionSizewith a name section subsection exceeding the section boundary