Fix arithmetic in interpretation of ArrayNewSeg (#5251)

The offset and size were previously being sign extended from 32 to 64 bits,
which meant that negative sizes could make the bounds check pass and cause an
exception to be thrown by an overly large allocation. Switch to using uint64_t
from the start rather than mixing sizes and signs, and update the tests to
reproduce the error more robustly in the absence of the fix.

Also fix a bug in RemoveUnusedModuleElements triggered by the new test.

Fixes #5249.

1 files changed, 12 insertions, 0 deletions

diff --git a/test/spec/array-new-elem.wast b/test/spec/array-new-elem.wast
index a61122bd6..d20d8109b 100644
--- a/test/spec/array-new-elem.wast
+++ b/test/spec/array-new-elem.wast
@@ -46,3 +46,15 @@
 (assert_return (invoke "get" (i32.const 1)) (i32.const 2))
 (assert_return (invoke "set_get" (i32.const 0) (i32.const 2)) (i32.const 3))
 (assert_return (invoke "len") (i32.const 3))
+
+(module
+  (type $vec (array funcref))
+
+  (elem func)
+
+  (func $new-huge (export "new-huge") (result (ref $vec))
+    (array.new_elem $vec 0 (i32.const 1) (i32.const -1))
+  )
+)
+
+(assert_trap (invoke "new-huge") "out of bounds segment access in array.new_data")