[vm] Fix out-of-bounds access to kernel library -1

Certain kinds of functions do not have corresponding kernel binary,
so Function::KernelLibraryIndex() returns -1 for them.

However, flow graph builder and scopes builder established reading of
kernel binary for those functions, which was based on a typed data
view created for a library -1 (treating some unrelated field from
kernel component index as library offset).

This change fixes this out-of-bounds access and avoids reading
any kernel for these functions.

TEST=ci
Fixes #60369

Change-Id: I91717ec6ad905b71bab49d7b3b3f636bda19afb4
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/417102
Reviewed-by: Alexander Aprelev <[email protected]>
Commit-Queue: Alexander Markov <[email protected]>

Author: alexmarkov

runtime/vm/compiler/frontend/kernel_binary_flowgraph.cc

@@ -970,10 +970,13 @@ FlowGraph* StreamingFlowGraphBuilder::BuildGraph() {
 void StreamingFlowGraphBuilder::ParseKernelASTFunction() {
   const Function& function = parsed_function()->function();
 
-  const intptr_t kernel_offset = function.kernel_offset();
-  ASSERT(kernel_offset >= 0);
-
-  SetOffset(kernel_offset);
+  if (!function.IsNoSuchMethodDispatcher() &&
+      !function.IsInvokeFieldDispatcher() &&
+      !function.IsFfiCallbackTrampoline()) {
+    const intptr_t kernel_offset = function.kernel_offset();
+    ASSERT(kernel_offset >= 0);
+    SetOffset(kernel_offset);
+  }
 
   // Mark forwarding stubs.
   switch (function.kind()) {

runtime/vm/compiler/frontend/scope_builder.cc

@@ -122,12 +122,17 @@ ScopeBuildingResult* ScopeBuilder::BuildScopes() {
 
   parsed_function_->set_scope(scope_);
 
-  helper_.SetOffset(function.kernel_offset());
+  ProcedureAttributesMetadata attrs;
+
+  if (!function.IsNoSuchMethodDispatcher() &&
+      !function.IsInvokeFieldDispatcher() &&
+      !function.IsFfiCallbackTrampoline()) {
+    helper_.SetOffset(function.kernel_offset());
+    attrs = procedure_attributes_metadata_helper_.GetProcedureAttributes(
+        function.kernel_offset());
+  }
 
   FunctionNodeHelper function_node_helper(&helper_);
-  const ProcedureAttributesMetadata attrs =
-      procedure_attributes_metadata_helper_.GetProcedureAttributes(
-          function.kernel_offset());
 
   switch (function.kind()) {
     case UntaggedFunction::kImplicitClosureFunction: {

runtime/vm/kernel_binary.h

@@ -498,9 +498,14 @@ class Reader : public ValueObject {
       : thread_(nullptr), raw_buffer_(buffer), size_(size) {}
 
   void Init() {
-    ASSERT(typed_data_->IsExternalOrExternalView());
-    raw_buffer_ = reinterpret_cast<uint8_t*>(typed_data_->DataAddr(0));
-    size_ = typed_data_->LengthInBytes();
+    if (typed_data_->IsNull()) {
+      raw_buffer_ = nullptr;
+      size_ = 0;
+    } else {
+      ASSERT(typed_data_->IsExternalOrExternalView());
+      raw_buffer_ = reinterpret_cast<uint8_t*>(typed_data_->DataAddr(0));
+      size_ = typed_data_->LengthInBytes();
+    }
     offset_ = 0;
   }
 

runtime/vm/object.cc

@@ -11410,8 +11410,10 @@ KernelProgramInfoPtr Function::KernelProgramInfo() const {
 }
 
 TypedDataViewPtr Function::KernelLibrary() const {
+  const intptr_t kernel_library_index = KernelLibraryIndex();
+  if (kernel_library_index == -1) return TypedDataView::null();
   const auto& info = KernelProgramInfo::Handle(KernelProgramInfo());
-  return info.KernelLibrary(KernelLibraryIndex());
+  return info.KernelLibrary(kernel_library_index);
 }
 
 intptr_t Function::KernelLibraryOffset() const {
@@ -12419,8 +12421,10 @@ void Field::InheritKernelOffsetFrom(const Field& src) const {
 
 #if !defined(DART_PRECOMPILED_RUNTIME)
 TypedDataViewPtr Field::KernelLibrary() const {
+  const intptr_t kernel_library_index = KernelLibraryIndex();
+  if (kernel_library_index == -1) return TypedDataView::null();
   const auto& info = KernelProgramInfo::Handle(KernelProgramInfo());
-  return info.KernelLibrary(KernelLibraryIndex());
+  return info.KernelLibrary(kernel_library_index);
 }
 
 intptr_t Field::KernelLibraryOffset() const {
@@ -15685,6 +15689,7 @@ intptr_t KernelProgramInfo::KernelLibraryStartOffset(
   const intptr_t library_count =
       Utils::BigEndianToHost32(LoadUnaligned(reinterpret_cast<uint32_t*>(
           blob.DataAddr(blob.LengthInBytes() - 2 * 4))));
+  ASSERT((library_index >= 0) && (library_index < library_count));
   const intptr_t library_start =
       Utils::BigEndianToHost32(LoadUnaligned(reinterpret_cast<uint32_t*>(
           blob.DataAddr(blob.LengthInBytes() -
@@ -15694,6 +15699,7 @@ intptr_t KernelProgramInfo::KernelLibraryStartOffset(
 
 TypedDataViewPtr KernelProgramInfo::KernelLibrary(
     intptr_t library_index) const {
+  ASSERT(library_index >= 0);
   const intptr_t start_offset = KernelLibraryStartOffset(library_index);
   const intptr_t end_offset = KernelLibraryEndOffset(library_index);
   const auto& component = TypedDataBase::Handle(kernel_component());
@@ -15706,6 +15712,7 @@ intptr_t KernelProgramInfo::KernelLibraryEndOffset(
   const intptr_t library_count =
       Utils::BigEndianToHost32(LoadUnaligned(reinterpret_cast<uint32_t*>(
           blob.DataAddr(blob.LengthInBytes() - 2 * 4))));
+  ASSERT((library_index >= 0) && (library_index < library_count));
   const intptr_t library_end = Utils::BigEndianToHost32(
       LoadUnaligned(reinterpret_cast<uint32_t*>(blob.DataAddr(
           blob.LengthInBytes() - (2 + (library_count - library_index)) * 4))));