[wasm] Check for type-definition count limit

Bug: chromium:330575498 Change-Id: I395f0ed6d823b7d1e139da6551486e3627d65724 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5378419 Commit-Queue: Jakob Kummerow <[email protected]> Reviewed-by: Jakob Kummerow <[email protected]> Auto-Submit: Manos Koukoutos <[email protected]> Cr-Commit-Position: refs/heads/main@{#92941}
denoland · Mar 21, 2024 · b852ad7 · b852ad7
1 parent 28877c5
commit b852ad7
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/src/wasm/module-decoder-impl.h b/src/wasm/module-decoder-impl.h
@@ -661,6 +661,11 @@ class ModuleDecoderImpl : public Decoder {
  }
  } else {
  if (tracer_) tracer_->TypeOffset(pc_offset());
+ if (initial_size + 1 > kV8MaxWasmTypes) {
+ errorf(pc(), "Type definition count exceeds maximum %zu",
+ kV8MaxWasmTypes);
+ return;
+ }
  // Similarly to above, we need to resize types for a group of size 1.
  module_->types.resize(initial_size + 1);
  module_->isorecursive_canonical_type_ids.resize(initial_size + 1);