Created
August 27, 2016 15:09
-
-
Save wibblymat/29ef5aed4c34b119c926ecd1bc673030 to your computer and use it in GitHub Desktop.
Binaryen out of bounds memory access
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| void print(int); | |
| void loop() { | |
| for (int i = 0; i < 10; i++) { | |
| print(i); | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .text | |
| .file "test.ll" | |
| .hidden loop | |
| .globl loop | |
| .type loop,@function | |
| loop: # @loop | |
| .local i32 | |
| # BB#0: # %entry | |
| i32.const $push9=, 0 | |
| i32.const $push6=, 0 | |
| i32.load $push7=, __stack_pointer($pop6) | |
| i32.const $push8=, 16 | |
| i32.sub $push14=, $pop7, $pop8 | |
| tee_local $push13=, $0=, $pop14 | |
| i32.store $drop=, __stack_pointer($pop9), $pop13 | |
| i32.const $push0=, 0 | |
| i32.store $drop=, 12($0), $pop0 | |
| .LBB0_1: # %for.cond | |
| # =>This Inner Loop Header: Depth=1 | |
| loop # label0: | |
| i32.load $push1=, 12($0) | |
| i32.const $push16=, 9 | |
| i32.gt_s $push2=, $pop1, $pop16 | |
| br_if 1, $pop2 # 1: down to label1 | |
| # BB#2: # %for.body | |
| # in Loop: Header=BB0_1 Depth=1 | |
| i32.load $push3=, 12($0) | |
| call print@FUNCTION, $pop3 | |
| i32.load $push4=, 12($0) | |
| i32.const $push15=, 1 | |
| i32.add $push5=, $pop4, $pop15 | |
| i32.store $drop=, 12($0), $pop5 | |
| br 0 # 0: up to label0 | |
| .LBB0_3: # %for.end | |
| end_loop # label1: | |
| i32.const $push12=, 0 | |
| i32.const $push10=, 16 | |
| i32.add $push11=, $0, $pop10 | |
| i32.store $drop=, __stack_pointer($pop12), $pop11 | |
| # fallthrough-return | |
| .endfunc | |
| .Lfunc_end0: | |
| .size loop, .Lfunc_end0-loop | |
| .ident "clang version 4.0.0 (http://llvm.org/git/clang.git 5423d8c4fc3b8ba5756f2e16479552191d59e992) (http://llvm.org/git/llvm.git c3dc8a9df086f2eaeff6ecce6e48ca31d2d5bbe2)" | |
| .functype print, void, i32 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (module | |
| (memory 1) | |
| (export "memory" memory) | |
| (type $FUNCSIG$vi (func (param i32))) | |
| (import $print "env" "print" (param i32)) | |
| (export "loop" $loop) | |
| (func $loop | |
| (local $0 i32) | |
| (i32.store offset=4 | |
| (i32.const 0) | |
| (set_local $0 | |
| (i32.sub | |
| (i32.load offset=4 | |
| (i32.const 0) | |
| ) | |
| (i32.const 16) | |
| ) | |
| ) | |
| ) | |
| (i32.store offset=12 | |
| (get_local $0) | |
| (i32.const 0) | |
| ) | |
| (loop $label$1 $label$0 | |
| (br_if $label$1 | |
| (i32.gt_s | |
| (i32.load offset=12 | |
| (get_local $0) | |
| ) | |
| (i32.const 9) | |
| ) | |
| ) | |
| (call_import $print | |
| (i32.load offset=12 | |
| (get_local $0) | |
| ) | |
| ) | |
| (i32.store offset=12 | |
| (get_local $0) | |
| (i32.add | |
| (i32.load offset=12 | |
| (get_local $0) | |
| ) | |
| (i32.const 1) | |
| ) | |
| ) | |
| (br $label$0) | |
| ) | |
| (i32.store offset=4 | |
| (i32.const 0) | |
| (i32.add | |
| (get_local $0) | |
| (i32.const 16) | |
| ) | |
| ) | |
| ) | |
| ) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment