Fix TableFill bounds checking (#6621)

The offsets are unsigned.

1 files changed, 4 insertions, 9 deletions

diff --git a/src/wasm-interpreter.h b/src/wasm-interpreter.h
index f9b7e8c50..c12f9cc33 100644
--- a/src/wasm-interpreter.h
+++ b/src/wasm-interpreter.h
@@ -3137,21 +3137,16 @@ public:
     }
     auto info = getTableInstanceInfo(curr->table);
 
-    auto* table = self()->wasm.getTable(info.name);
-    Index dest = table->indexType == Type::i64
-                   ? destFlow.getSingleValue().geti64()
-                   : destFlow.getSingleValue().geti32();
+    auto dest = destFlow.getSingleValue().getUnsigned();
     Literal value = valueFlow.getSingleValue();
-    Index size = table->indexType == Type::i64
-                   ? sizeFlow.getSingleValue().geti64()
-                   : sizeFlow.getSingleValue().geti32();
+    auto size = sizeFlow.getSingleValue().getUnsigned();
 
-    Index tableSize = info.interface()->tableSize(info.name);
+    auto tableSize = info.interface()->tableSize(info.name);
     if (dest + size > tableSize) {
       trap("out of bounds table access");
     }
 
-    for (Index i = 0; i < size; ++i) {
+    for (uint64_t i = 0; i < size; i++) {
       info.interface()->tableStore(info.name, dest + i, value);
     }
     return Flow();