From f984324d06e3024f742c7fe9c26aac5bbebe3c71 Mon Sep 17 00:00:00 2001
From: Alon Zakai <azakai@google.com>
Date: Mon, 1 Apr 2024 14:15:26 -0700
Subject: [Strings] string.new_wtf16_array should trap if the end index is less
 than the start (#6459)

---
 src/wasm-interpreter.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src/wasm-interpreter.h')

diff --git a/src/wasm-interpreter.h b/src/wasm-interpreter.h
index 8db33de74..c95f694ef 100644
--- a/src/wasm-interpreter.h
+++ b/src/wasm-interpreter.h
@@ -1883,7 +1883,8 @@ public:
         const auto& ptrDataValues = ptrData->values;
         size_t startVal = start.getSingleValue().getUnsigned();
         size_t endVal = end.getSingleValue().getUnsigned();
-        if (startVal > ptrDataValues.size() || endVal > ptrDataValues.size()) {
+        if (startVal > ptrDataValues.size() || endVal > ptrDataValues.size() ||
+            endVal < startVal) {
           trap("array oob");
         }
         Literals contents;
-- 
cgit v1.2.3