tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE
commit 8a07a5b43aa737feb22c3174de57d15da7c670fd
parent 7fb844c3b9844eb950add810f7cabbb8db7edb35
Author: Ben Visness <bvisness@mozilla.com>
Date:   Mon, 15 Dec 2025 18:04:05 +0000

Bug 2005350: Check custom page sizes pref at runtime. r=rhunt

We missed this, meaning that we could easily slip into cases where
unexpected code is running with a non-standard page size.

Differential Revision: https://phabricator.services.mozilla.com/D276496

Diffstat:

Ajs/src/jit-test/tests/wasm/custom-page-sizes/disabled.js | 6++++++


Mjs/src/wasm/WasmValidate.cpp | 11++++++++---


2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/js/src/jit-test/tests/wasm/custom-page-sizes/disabled.js b/js/src/jit-test/tests/wasm/custom-page-sizes/disabled.js
@@ -0,0 +1,6 @@
+// |jit-test| skip-if: wasmCustomPageSizesEnabled()
+
+// Note the flag above: this only runs if custom page sizes are DISABLED.
+wasmValidateText(`(module (memory 0 1))`);
+wasmFailValidateText(`(module (memory 0 1 (pagesize 65536)))`, /custom page sizes are disabled|unexpected bits set in flags/);
+wasmFailValidateText(`(module (memory 0 1 (pagesize 1)))`, /custom page sizes are disabled|unexpected bits set in flags/);
diff --git a/js/src/wasm/WasmValidate.cpp b/js/src/wasm/WasmValidate.cpp
@@ -2800,7 +2800,8 @@ static bool DecodeLimitBound(Decoder& d, AddressType addressType,
   return true;
 }
 
-static bool DecodeLimits(Decoder& d, LimitsKind kind, Limits* limits) {
+static bool DecodeLimits(Decoder& d, CodeMetadata* codeMeta, LimitsKind kind,
+                         Limits* limits) {
   uint8_t flags;
   if (!d.readFixedU8(&flags)) {
     return d.fail("expected flags");
@@ -2859,6 +2860,10 @@ static bool DecodeLimits(Decoder& d, LimitsKind kind, Limits* limits) {
     limits->pageSize = PageSize::Standard;
 #ifdef ENABLE_WASM_CUSTOM_PAGE_SIZES
     if (flags & uint8_t(LimitsFlags::HasCustomPageSize)) {
+      if (!codeMeta->customPageSizesEnabled()) {
+        return d.fail("custom page sizes are disabled");
+      }
+
       uint32_t customPageSize;
       if (!d.readVarU32(&customPageSize)) {
         return d.fail("failed to decode custom page size");
@@ -2908,7 +2913,7 @@ static bool DecodeTableType(Decoder& d, CodeMetadata* codeMeta, bool isImport) {
   }
 
   Limits limits;
-  if (!DecodeLimits(d, LimitsKind::Table, &limits)) {
+  if (!DecodeLimits(d, codeMeta, LimitsKind::Table, &limits)) {
     return false;
   }
 
@@ -2972,7 +2977,7 @@ static bool DecodeMemoryTypeAndLimits(Decoder& d, CodeMetadata* codeMeta,
   }
 
   Limits limits;
-  if (!DecodeLimits(d, LimitsKind::Memory, &limits)) {
+  if (!DecodeLimits(d, codeMeta, LimitsKind::Memory, &limits)) {
     return false;
   }