From 8c00a0ad4356a7dfadfbe5759379a3fd30885718 Mon Sep 17 00:00:00 2001
From: Piotr Sikora <piotrsikora@google.com>
Date: Thu, 4 Aug 2022 00:01:46 -0700
Subject: [PATCH] Don't overread buffers.

While there, make sure to write a return pointer and length
when returning an empty buffer.

Reported by Chris Ertl from Google Security.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
---
 src/exports.cc | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/src/exports.cc b/src/exports.cc
index bdefddeb6..837f9e1e0 100644
--- a/src/exports.cc
+++ b/src/exports.cc
@@ -485,13 +485,21 @@ Word get_buffer_bytes(Word type, Word start, Word length, Word ptr_ptr, Word siz
     return WasmResult::BadArgument;
   }
   // Don't overread.
-  if (start + length > buffer->size()) {
+  if (start > buffer->size()) {
+    length = 0;
+  } else if (start + length > buffer->size()) {
     length = buffer->size() - start;
   }
-  if (length > 0) {
-    return buffer->copyTo(context->wasm(), start, length, ptr_ptr, size_ptr);
+  if (length == 0) {
+    if (!context->wasmVm()->setWord(ptr_ptr, Word(0))) {
+      return WasmResult::InvalidMemoryAccess;
+    }
+    if (!context->wasmVm()->setWord(size_ptr, Word(0))) {
+      return WasmResult::InvalidMemoryAccess;
+    }
+    return WasmResult::Ok;
   }
-  return WasmResult::Ok;
+  return buffer->copyTo(context->wasm(), start, length, ptr_ptr, size_ptr);
 }
 
 Word get_buffer_status(Word type, Word length_ptr, Word flags_ptr) {