Prevent fuzzer allocation errors (#2713)

zherczeg · web-flow · commit 6be9e863ce57 · 2026-03-06T20:30:37.000+01:00
diff --git a/src/interp/binary-reader-interp.cc b/src/interp/binary-reader-interp.cc
@@ -73,6 +73,9 @@ struct FixupMap {
 
 class BinaryReaderInterp : public BinaryReaderNop {
  public:
+  // Prevent too much memory allocation errors by fuzzers.
+  static constexpr Index kMaxPreallocatedBufferSize = 16384;
+
   BinaryReaderInterp(ModuleDesc* module,
                      std::string_view filename,
                      Errors* errors,
@@ -525,7 +528,7 @@ Result BinaryReaderInterp::EndModule() {
 }
 
 Result BinaryReaderInterp::OnTypeCount(Index count) {
-  module_.func_types.reserve(count);
+  module_.func_types.reserve(std::min(count, kMaxPreallocatedBufferSize));
   return Result::Ok;
 }
 
@@ -615,7 +618,7 @@ Result BinaryReaderInterp::OnImportTag(Index import_index,
 }
 
 Result BinaryReaderInterp::OnFunctionCount(Index count) {
-  module_.funcs.reserve(count);
+  module_.funcs.reserve(std::min(count, kMaxPreallocatedBufferSize));
   return Result::Ok;
 }
 
@@ -629,7 +632,7 @@ Result BinaryReaderInterp::OnFunction(Index index, Index sig_index) {
 }
 
 Result BinaryReaderInterp::OnTableCount(Index count) {
-  module_.tables.reserve(count);
+  module_.tables.reserve(std::min(count, kMaxPreallocatedBufferSize));
   return Result::Ok;
 }
 
@@ -662,7 +665,7 @@ Result BinaryReaderInterp::EndTableInitExpr(Index index) {
 }
 
 Result BinaryReaderInterp::OnMemoryCount(Index count) {
-  module_.memories.reserve(count);
+  module_.memories.reserve(std::min(count, kMaxPreallocatedBufferSize));
   return Result::Ok;
 }
 
@@ -677,7 +680,7 @@ Result BinaryReaderInterp::OnMemory(Index index,
 }
 
 Result BinaryReaderInterp::OnGlobalCount(Index count) {
-  module_.globals.reserve(count);
+  module_.globals.reserve(std::min(count, kMaxPreallocatedBufferSize));
   return Result::Ok;
 }
 
@@ -719,7 +722,7 @@ Result BinaryReaderInterp::EndGlobalInitExpr(Index index) {
 }
 
 Result BinaryReaderInterp::OnTagCount(Index count) {
-  module_.tags.reserve(count);
+  module_.tags.reserve(std::min(count, kMaxPreallocatedBufferSize));
   return Result::Ok;
 }
 
@@ -760,7 +763,7 @@ Result BinaryReaderInterp::OnStartFunction(Index func_index) {
 }
 
 Result BinaryReaderInterp::OnElemSegmentCount(Index count) {
-  module_.elems.reserve(count);
+  module_.elems.reserve(std::min(count, kMaxPreallocatedBufferSize));
   return Result::Ok;
 }
 
@@ -820,7 +823,7 @@ Result BinaryReaderInterp::EndElemExpr(Index elem_index, Index expr_index) {
 
 Result BinaryReaderInterp::OnDataCount(Index count) {
   validator_.OnDataCount(count);
-  module_.datas.reserve(count);
+  module_.datas.reserve(std::min(count, kMaxPreallocatedBufferSize));
   return Result::Ok;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -73,6 +73,9 @@ struct FixupMap {`
`73`	`73`
`74`	`74`	`class BinaryReaderInterp : public BinaryReaderNop {`
`75`	`75`	`public:`
	`76`	`+ // Prevent too much memory allocation errors by fuzzers.`
	`77`	`+ static constexpr Index kMaxPreallocatedBufferSize = 16384;`
	`78`	`+`
`76`	`79`	`BinaryReaderInterp(ModuleDesc* module,`
`77`	`80`	`std::string_view filename,`
`78`	`81`	`Errors* errors,`
`@@ -525,7 +528,7 @@ Result BinaryReaderInterp::EndModule() {`
`525`	`528`	`}`
`526`	`529`
`527`	`530`	`Result BinaryReaderInterp::OnTypeCount(Index count) {`
`528`		`- module_.func_types.reserve(count);`
	`531`	`+ module_.func_types.reserve(std::min(count, kMaxPreallocatedBufferSize));`
`529`	`532`	`return Result::Ok;`
`530`	`533`	`}`
`531`	`534`
`@@ -615,7 +618,7 @@ Result BinaryReaderInterp::OnImportTag(Index import_index,`
`615`	`618`	`}`
`616`	`619`
`617`	`620`	`Result BinaryReaderInterp::OnFunctionCount(Index count) {`
`618`		`- module_.funcs.reserve(count);`
	`621`	`+ module_.funcs.reserve(std::min(count, kMaxPreallocatedBufferSize));`
`619`	`622`	`return Result::Ok;`
`620`	`623`	`}`
`621`	`624`
`@@ -629,7 +632,7 @@ Result BinaryReaderInterp::OnFunction(Index index, Index sig_index) {`
`629`	`632`	`}`
`630`	`633`
`631`	`634`	`Result BinaryReaderInterp::OnTableCount(Index count) {`
`632`		`- module_.tables.reserve(count);`
	`635`	`+ module_.tables.reserve(std::min(count, kMaxPreallocatedBufferSize));`
`633`	`636`	`return Result::Ok;`
`634`	`637`	`}`
`635`	`638`
`@@ -662,7 +665,7 @@ Result BinaryReaderInterp::EndTableInitExpr(Index index) {`
`662`	`665`	`}`
`663`	`666`
`664`	`667`	`Result BinaryReaderInterp::OnMemoryCount(Index count) {`
`665`		`- module_.memories.reserve(count);`
	`668`	`+ module_.memories.reserve(std::min(count, kMaxPreallocatedBufferSize));`
`666`	`669`	`return Result::Ok;`
`667`	`670`	`}`
`668`	`671`
`@@ -677,7 +680,7 @@ Result BinaryReaderInterp::OnMemory(Index index,`
`677`	`680`	`}`
`678`	`681`
`679`	`682`	`Result BinaryReaderInterp::OnGlobalCount(Index count) {`
`680`		`- module_.globals.reserve(count);`
	`683`	`+ module_.globals.reserve(std::min(count, kMaxPreallocatedBufferSize));`
`681`	`684`	`return Result::Ok;`
`682`	`685`	`}`
`683`	`686`
`@@ -719,7 +722,7 @@ Result BinaryReaderInterp::EndGlobalInitExpr(Index index) {`
`719`	`722`	`}`
`720`	`723`
`721`	`724`	`Result BinaryReaderInterp::OnTagCount(Index count) {`
`722`		`- module_.tags.reserve(count);`
	`725`	`+ module_.tags.reserve(std::min(count, kMaxPreallocatedBufferSize));`
`723`	`726`	`return Result::Ok;`
`724`	`727`	`}`
`725`	`728`
`@@ -760,7 +763,7 @@ Result BinaryReaderInterp::OnStartFunction(Index func_index) {`
`760`	`763`	`}`
`761`	`764`
`762`	`765`	`Result BinaryReaderInterp::OnElemSegmentCount(Index count) {`
`763`		`- module_.elems.reserve(count);`
	`766`	`+ module_.elems.reserve(std::min(count, kMaxPreallocatedBufferSize));`
`764`	`767`	`return Result::Ok;`
`765`	`768`	`}`
`766`	`769`
`@@ -820,7 +823,7 @@ Result BinaryReaderInterp::EndElemExpr(Index elem_index, Index expr_index) {`
`820`	`823`
`821`	`824`	`Result BinaryReaderInterp::OnDataCount(Index count) {`
`822`	`825`	`validator_.OnDataCount(count);`
`823`		`- module_.datas.reserve(count);`
	`826`	`+ module_.datas.reserve(std::min(count, kMaxPreallocatedBufferSize));`
`824`	`827`	`return Result::Ok;`
`825`	`828`	`}`
`826`	`829`