Fix some off-by-one comparisons in assertions

Fuzzing found a small issue with bytecodealliance#9687 and this commit relaxes a few off-by-one checks to allow addressing one-byte-beyond-the-end of a linear memory.
alexcrichton · Dec 7, 2024 · ae8a48c · ae8a48c
1 parent d5ee2a0
commit ae8a48c
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/crates/wasmtime/src/runtime/vm/mmap.rs b/crates/wasmtime/src/runtime/vm/mmap.rs
@@ -137,7 +137,7 @@ impl Mmap<AlignedLength> {
     ///
     /// Returns an error if `offset >= self.len_aligned()`.
     pub fn offset(self: &Arc<Self>, offset: HostAlignedByteCount) -> Result<MmapOffset> {
-        if offset >= self.len_aligned() {
+        if offset > self.len_aligned() {
             bail!(
                 "offset {} is not in bounds for mmap: {}",
                 offset,
@@ -363,7 +363,7 @@ impl MmapOffset {
         // end of the mmap. We may need to change this if that becomes
         // necessary.
         assert!(
-            offset < mmap.len_aligned(),
+            offset <= mmap.len_aligned(),
             "offset {} is in bounds (< {})",
             offset,
             mmap.len_aligned(),

diff --git a/tests/all/memory.rs b/tests/all/memory.rs
@@ -734,3 +734,19 @@ fn get_memory_type_with_custom_page_size_from_wasm(config: &mut Config) -> Resul
 
     Ok(())
 }
+
+#[wasmtime_test]
+fn configure_zero(config: &mut Config) -> Result<()> {
+    config.guard_before_linear_memory(false);
+    config.memory_guard_size(0);
+    config.memory_reservation(0);
+    config.memory_reservation_for_growth(0);
+    let engine = Engine::new(&config)?;
+    let mut store = Store::new(&engine, ());
+
+    let ty = MemoryType::new(0, None);
+    let memory = Memory::new(&mut store, ty)?;
+    assert_eq!(memory.data_size(&store), 0);
+
+    Ok(())
+}